CN110352605A - A kind of adding method, relevant device and the system of authentication arithmetic program - Google Patents

Abstract

The embodiment of the invention discloses adding method, relevant device and the systems of a kind of authentication arithmetic program, wherein, this method comprises: SM-DP+ server receives the authentication arithmetic program that MNO is sent, authentication arithmetic program is corresponding with target information, and target information is at least one of EID issuer mark, platform/operating system version information of eUICC and the ability information of eUICC of the firmware version information of eUICC, eUICC；SM-DP+ server generates the binding configuration file packet including authentication arithmetic program, and sends binding configuration file packet into eUICC by LPA.As it can be seen that by implementing authentication arithmetic program described in first aspect, eUICC can add authentication arithmetic program into eUICC in time.

Description

A kind of adding method, relevant device and the system of authentication arithmetic program Technical field

The present invention relates to field of terminal technology more particularly to a kind of adding method, relevant device and the systems of authentication arithmetic program.

Background technique

Universal embedded integrated circuit card (embedded Universal Integrated Circuit Card, eUICC), alternatively referred to as embedded user identification card (embedded Subscriber Identity Module, eSIM), eUICC can be put into user terminal (such as cell phone, tablet computer) by plug-in or welded type etc..

In practical applications, after eUICC is downloaded and is installed configuration file provided by Mobile Network Operator (profile), eUICC can activation profiles, thus access carrier network (such as 2G/3G/4G network).

Configuration file refers to the set of carrier data and application, generally include network insertion application parameter, such as key parameter Ki, international mobile subscriber identity (International Mobile Subscriber Identity, IMSI), operator's security domain (Mobile Network Operator-Security Domain, MNO-SD), supplement security domain (Supplementary Security Domains, SSD), control security domain (Controlling Authority Security Domain, CASD), using (such as NFC application etc.) , JAVA card program, the other elements in file system and configuration file metadata, wherein include in configuration file metadata configuration file policy definition (Profile Policy Rules).Wherein, the corresponding relationship of IMSI and Ki requests the identity of the user of network authentication for identification.

Before eUICC is successfully accessed to carrier network using configuration file, it is also necessary to carry out network authentication.Network authentication is one for verifying the process of network entity and eUICC identity.It needs during network authentication using authentication arithmetic program, for example, authentication arithmetic program can be one section of code of realization authentication arithmetic or the data of description authentication arithmetic.Authentication arithmetic program can be used for generating authentication accordingly (SRES), deduce encryption key (Cipher Key, CK) and Integrity Key (Integrity Key, IK).

However in practice, it has been found that need the corresponding authentication arithmetic program of authentication arithmetic to be used due to that may lack in eUICC, configuration file successfully cannot be registered to network by eUICC.Therefore, how the corresponding authentication arithmetic program of authentication arithmetic that eUICC lacks to be added in eUICC is current urgent problem to be solved.

Summary of the invention

The embodiment of the invention discloses adding method, relevant device and the system of a kind of authentication arithmetic program, the corresponding authentication arithmetic program of the authentication arithmetic that can lack eUICC is added in eUICC.

First aspect, a kind of adding method of authentication arithmetic program, this method comprises: signing management-data preparation SM-DP+ server receives the authentication arithmetic program that Mobile Network Operator MNO is sent, the authentication arithmetic program is corresponding with target information, which is at least one of universal embedded Integrated Circuit Card Identity EID issuer mark, platform/operating system version information of eUICC and the ability information of eUICC of the firmware version information of universal embedded integrated circuit card eUICC, eUICC；SM-DP+ server generates the binding configuration file packet including authentication arithmetic program, and sends binding configuration file packet into eUICC by local profile assistant LPA.

Optionally, authentication arithmetic program is for being added in the authentication arithmetic collection of programs of eUICC.Optionally, authentication arithmetic collection of programs can be in the telecommunication frame of eUICC.

By the adding method for implementing authentication arithmetic program described in first aspect, the authentication arithmetic program that lacks of eUICC can be transmitted to SM-DP+ server in MNO, SM-DP+ server produces the binding configuration file packet including authentication arithmetic program, which further includes configuration file.That is, the eUICC configuration file downloaded and eUICC the authentication arithmetic program lacked can be put in a binding configuration file packet by SM-DP+ server is sent to eUICC.To which eUICC is in running configuration file, so that it may carry out identity legitimacy verifying to eUICC using the authentication arithmetic program downloaded together with configuration file.Therefore, by implementing authentication arithmetic program described in first aspect, eUICC can add authentication arithmetic program into eUICC in time.

As a kind of optional embodiment, target information may be one of above-mentioned four kinds of information (i.e. EID issuer mark, platform/operating system version information of eUICC and the ability information of eUICC of the firmware version information of eUICC, eUICC) or a variety of, and MNO can find corresponding authentication arithmetic program according to target information.For example, target information includes the firmware version information of eUICC.During the contract of user terminal and MNO server is signed, MNO server can receive the firmware version information of eUICC.After the firmware version information that MNO server receives eUICC, corresponding authentication arithmetic program is found according to the firmware version information for receiving eUICC.

For another example, target information includes the EID issuer mark of eUICC.During the contract of user terminal and MNO server is signed, MNO server can receive the EID that LPA is sent.After MNO server receives EID, EID issuer mark is obtained from EID.MNO finds corresponding authentication arithmetic program according to EID issuer mark.

For another example, target information includes platform/operating system version information.During the contract of user terminal and MNO server is signed, MNO server can receive the EID that LPA is sent.After MNO server receives EID, platform/operating system version information is obtained from EID.MNO finds corresponding authentication arithmetic program according to platform/operating system version information.

For another example, target information includes EID issuer mark and platform/operating system version information.During the contract of user terminal and MNO server is signed, MNO server can receive the EID that LPA is sent.After MNO server receives EID, the EID issuer mark and platform/operating system version information of eUICC are obtained from EID.MNO is identified according to EID issuer and platform/operating system version information finds corresponding authentication arithmetic program.

For another example, target information includes the ability information of eUICC.During the contract of user terminal and MNO server is signed, MNO server can receive the ability information of eUICC.After the ability information that MNO server receives eUICC, corresponding authentication arithmetic program is found according to the ability information for meeting eUICC.

For another example, target information includes platform/operating system version information of EID the issuer mark and eUICC of the firmware version information of eUICC, eUICC.During the contract of user terminal and MNO are signed, MNO can receive the firmware version information and EID that LPA is sent.MNO is received after EID, EID issuer mark and platform/operating system version information are obtained from EID, and based on the received firmware version information, EID issuer mark, platform/operating system version information, corresponding authentication arithmetic program is found, and sends authentication arithmetic program to SM-DP+ server.

For another example, target information includes EID issuer mark, platform/operating system version information of eUICC and the ability information of eUICC of the firmware version information of eUICC, eUICC.During the contract of user terminal and MNO are signed,

MNO can receive the firmware version information and EID that LPA is sent.MNO is received after EID, EID issuer mark and platform/operating system version information are obtained from EID, and based on the received firmware version information, EID issuer mark, platform/operating system version information and eUICC ability information, corresponding authentication arithmetic program is found, and sends authentication arithmetic program to SM-DP+ server.

Optionally, MNO can send authentication arithmetic program to SM-DP+ service by download command (DownloadOrder) Device, or authentication arithmetic program can be sent by confirmation order (ConfirmOrder) to SM-DP+ server.

By implementing the embodiment, the authentication arithmetic program that can be actively lacked from MNO into SM-DP+ server push eUICC, and then after SM-DP+ server receives authentication arithmetic program, authentication arithmetic program can be sent to by eUICC by LPA in time and be added.

Optionally, user terminal with MNO server during being contracted, after reporting EID or other match informations (such as ability information of firmware version information and eUICC), MNO server searches corresponding authentication arithmetic program, and in the download command (DownloadOrder) sent to SM-DP+ server, carry configuration file message (ProfileType).Configuration file message is used to indicate the type of SM-DP+ service implement body generation or matched configuration file.The differentiation of configuration file type can be depending on the data contained in configuration file, such as, the type that configuration file message 1 is used to indicate configuration file is the configuration file containing authentication arithmetic program, and the type that configuration file message 2 is used to indicate configuration file is the configuration file without authentication arithmetic program.Or, the differentiation of configuration file type can also be depending on the mark of the different authentication arithmetic programs contained in configuration file, such as, configuration file message 1 indicates that the configuration file type containing authentication arithmetic program identification GD_01, configuration file message 2 indicate the configuration file type containing authentication arithmetic program identification GTO_01.Optionally, MNO server can also carry two configuration file message in download command, the type that one configuration file message is used to indicate configuration file is the configuration file containing authentication arithmetic program, and the type that another configuration file message is used to indicate configuration file is the configuration file containing authentication arithmetic program identification GTO_01.Or, MNO server can also carry two configuration file message in download command, the type that one configuration file message is used to indicate configuration file is the configuration file without containing authentication arithmetic program, and the type that another configuration file message is used to indicate configuration file is the configuration file without containing authentication arithmetic program identification GTO_01.

Optionally, during the contract of user terminal and MNO server is signed, EID information, the activation code (Actication code) of also commercially available some corresponding configuration file are not reported.The authentication arithmetic program of different editions can be arranged respectively in the configuration file of different sets by MNO server when Mass production corresponds to the configuration file of activation code.User terminal is when buying activation code, operator can require user terminal to provide match information, and match information may be at least one of EID issuer mark, platform/operating system version information of eUICC and the ability information of eUICC of the firmware version information of eUICC, eUICC.Wherein, platform/operating system version information of EID issuer mark and eUICC can be by getting in EID information that user terminal reports.The match information that MNO server obtains from from user terminal indicates that the configuration file of the authentication arithmetic program comprising respective version is packaged by SM-DP+ server, and is sent in the eUICC of the user terminal.The method that wherein SM-DP+ obtains authentication arithmetic program can be, MNO server is sent to SM-DP+ server after the corresponding authentication arithmetic program of authentication arithmetic for generating different editions, by authentication arithmetic program corresponding to corresponding required authentication arithmetic of the list together with all versions of the authentication arithmetic program of different editions.

As an alternative embodiment, for example, MNO, SM-DP+ server and LPA can also carry out following steps when target information includes the firmware version information of eUICC: LPA sends the second information to SM-DP+ server, which includes eUICC information；After SM-DP+ server receives the second information, firmware version information is obtained from eUICC message；SM-DP+ server sends third information to MNO, which includes firmware version information；MNO searches corresponding authentication arithmetic program according to the third information.To which the authentication arithmetic program found is sent to SM-DP+ server by MNO.

For another example, when target information includes the EID issuer mark of eUICC, MNO, SM-DP+ server and LPA can also carry out following steps: MNO sends the first information to SM-DP+ server, which includes EID information； After SM-DP+ server receives the first information, EID issuer mark is obtained from EID message；SM-DP+ server sends third information to MNO, which includes EID issuer mark；MNO searches corresponding authentication arithmetic program according to the third information.To which the authentication arithmetic program found is sent to SM-DP+ server by MNO.

For another example, when target information includes platform/operating system version information of eUICC, MNO, SM-DP+ server and LPA can also carry out following steps: MNO sends the first information to SM-DP+ server, which includes EID information；After SM-DP+ server receives the first information, platform/operating system version information of eUICC is obtained from EID message；SM-DP+ server sends third information to MNO, which includes platform/operating system version information of eUICC；MNO searches corresponding authentication arithmetic program according to the third information.To which the authentication arithmetic program found is sent to SM-DP+ server by MNO.

For another example, when information includes the EID issuer mark and platform/operating system version information of eUICC, MNO, SM-DP+ server and LPA can also carry out following steps: MNO sends first message to SM-DP+ server, which includes EID information；After SM-DP+ server receives the first information, the EID issuer mark and platform/operating system version information of eUICC are obtained from EID message；SM-DP+ server sends third information to MNO, which includes the EID issuer mark and platform/operating system version information of eUICC；MNO searches corresponding authentication arithmetic program according to the third information.To which the authentication arithmetic program found is sent to SM-DP+ server by MNO.

For example, MNO, SM-DP+ server and LPA can also carry out following steps when target information includes the ability information of eUICC: LPA sends the second information to SM-DP+ server, which includes eUICC information；After SM-DP+ server receives the second information, the ability information of eUICC is obtained from eUICC message；SM-DP+ server sends third information to MNO, which includes the ability information of eUICC；MNO searches corresponding authentication arithmetic program according to the third information.To which the authentication arithmetic program found is sent to SM-DP+ server by MNO.

For another example, when target information includes platform/operating system version information of the firmware version information of eUICC, the EID issuer mark of eUICC and eUICC, MNO, SM-DP+ server and LPA can also carry out following steps: MNO sends the first information to SM-DP+ server, which includes EID information；LPA sends the second information to SM-DP+ server, which includes eUICC information；After SM-DP+ server receives the first information and the second information, firmware version information is obtained from eUICC message, and EID issuer mark and platform/operating system version information are obtained from EID message；SM-DP+ server sends third information to MNO, which includes firmware version information, EID issuer mark, platform/operating system version information；MNO searches corresponding authentication arithmetic program according to third information.To which the authentication arithmetic program found is sent to SM-DP+ server by MNO.

For another example, when target information includes the ability information of the firmware version information of eUICC, the EID issuer mark of eUICC, platform/operating system version information of eUICC and eUICC, SM-DP+ server receives before the authentication arithmetic program that Mobile Network Operator MNO is sent, can also carry out following steps: SM-DP+ server receives the first information that MNO is sent, which includes EID information；SM-DP+ server receives the second information that LPA is sent, which includes eUICC information；SM-DP+ server obtains the ability information of firmware version information and eUICC from eUICC message；SM-DP+ server obtains EID issuer mark, the ability information of platform/operating system version information and eUICC from EID message；SM-DP+ server sends third information to MNO, which includes firmware version information, EID issuer mark and platform/operating system version information.In other words, third message may include one of above-mentioned four kinds of information (i.e. EID issuer mark, platform/operating system version information of eUICC and the ability information of eUICC of the firmware version information of eUICC, eUICC) or a variety of, MNO searches corresponding authentication arithmetic program according to third information.From And the authentication arithmetic program found is sent to SM-DP+ server by MNO.

By implementing the embodiment, the authentication arithmetic program that can be actively lacked from SM-DP+ server into MNO request eUICC, and then after SM-DP+ server receives authentication arithmetic program, authentication arithmetic program can be sent to eUICC by LPA and be added.

As a kind of optional embodiment, it further include authentication arithmetic program addition mark in the first information, such as, if target information includes firmware version information, then authentication arithmetic program addition mark is used to indicate SM-DP+ server after obtaining firmware version information, requests authentication arithmetic program to MNO.If target information includes EID issuer mark, authentication arithmetic program addition mark is used to indicate SM-DP+ server after obtaining EID issuer mark, requests authentication arithmetic program to MNO.If target information includes platform/operating system version information, authentication arithmetic program addition mark is used to indicate SM-DP+ server after obtaining platform/operating system version information, requests authentication arithmetic program to MNO.If target information includes EID issuer mark and platform/operating system version information, then authentication arithmetic program addition mark is used to indicate SM-DP+ server after obtaining EID issuer mark and platform/operating system version information, requests authentication arithmetic program to MNO.If target information includes the ability information of eUICC, authentication arithmetic program addition mark is used to indicate SM-DP+ server after the ability information for obtaining eUICC, requests authentication arithmetic program to MNO.If target information includes firmware version information, EID issuer mark, the ability information of platform/operating system version information and eUICC, authentication arithmetic program addition mark is used to indicate SM-DP+ server after obtaining firmware version information, EID issuer mark and platform/operating system version information, requests authentication arithmetic program to MNO.In other words, authentication arithmetic program addition mark is used to indicate SM-DP+ server after obtaining target information, requests authentication arithmetic program to MNO.Target information can be one of EID issuer mark, platform/operating system version information, eUICC firmware version information and UICC ability information or a variety of.

As an alternative embodiment, further including authentication arithmetic program addition mark in the second information.User obtains the activation code of MNO distribution after signing process is completed, and includes the address of authentication arithmetic program addition mark and SM-DP+ server in activation code.After user inputs activation code, LPA identifies the addition mark of authentication arithmetic program included in activation code, and authentication arithmetic program addition mark is carried in the second message for being sent to SM-DP+ server.Authentication arithmetic program addition mark is used to indicate SM-DP+ server after obtaining target information, requests authentication arithmetic program to MNO.For example, authentication arithmetic program addition mark is used to indicate SM-DP+ server after obtaining firmware version information if target information includes firmware version information, authentication arithmetic program is requested to MNO.If target information includes EID issuer mark, authentication arithmetic program addition mark is used to indicate SM-DP+ server after obtaining EID issuer mark, requests authentication arithmetic program to MNO.If target information includes platform/operating system version information, authentication arithmetic program addition mark is used to indicate SM-DP+ server after obtaining platform/operating system version information, requests authentication arithmetic program to MNO.If target information includes EID issuer mark and platform/operating system version information, then authentication arithmetic program addition mark is used to indicate SM-DP+ server after obtaining EID issuer mark and platform/operating system version information, requests authentication arithmetic program to MNO.If target information includes the ability information of eUICC, authentication arithmetic program addition mark is used to indicate SM-DP+ server after the ability information for obtaining eUICC, requests authentication arithmetic program to MNO.If target information includes firmware version information, EID issuer mark, the ability information of platform/operating system version information and eUICC, authentication arithmetic program addition mark is used to indicate SM-DP+ server after obtaining firmware version information, EID issuer mark and platform/operating system version information, requests authentication arithmetic program to MNO.In other words, target information may include EID issuer mark, platform/operating system version information, eUICC firmware version information and UICC ability information One of or it is a variety of.Authentication arithmetic program addition mark is used to indicate SM-DP+ server after obtaining all composition information in target information, requests authentication arithmetic program to MNO.

In this scheme, MNO server may carry authentication arithmetic program addition mark not in first message.After user terminal and MNO server complete signing process, user terminal receives the activation code of MNO server transmission, contain authentication arithmetic program addition mark in activation code, after user terminal LPA receives the operation that user identifies activation code, the authentication arithmetic program addition mark in activation code is included in the second information and sends a SM-DP+ server.

As a kind of optional embodiment, it may each comprise authentication arithmetic program addition mark in the first information and the second information, or only including in an information in the first information and the second information includes authentication arithmetic program addition mark, the embodiment of the present invention is without limitation.

As an alternative embodiment, third information is processing downloading process information.

Specifically, operator and card vendor negotiate the authentication arithmetic for needing to realize and the environment for carrying authentication arithmetic or condition (such as, the firmware version information of eUICC, EID issuer mark, the ability information of platform/operating system version information of eUICC and the eUICC, either one of those or several), the realization of authentication arithmetic is transferred to card vendor to do by operator, after the completion of card vendor's exploitation, all authentication arithmetic programs corresponding in the authentication arithmetic program listing and list of all versions are given to operator.Optionally, card vendor can by the authentication arithmetic program listing and list of all versions to all authentication arithmetic programs be stored in a patch server, and establish the interface of patch server and carrier server.When SM-DP+ server sends carrier server for third message by handling downloading process information (HandleDownloadProgressInfo), third message can be transmitted to the patch server by the interface with the patch server by carrier server.Before sending third message, carrier server can complete bi-directional authentification with the patch server, and establish the channel (such as HTTPS connection) of a safety.Patch server according to received in third message information (such as, the firmware version information of eUICC, EID issuer mark, the ability information of platform/operating system version information of eUICC and the eUICC, either one of those or several) matched authentication arithmetic program is found, and the authentication arithmetic program is sent to carrier server.The authentication arithmetic program received is sent to SM-DP+ server by carrier server.Optionally, SM-DP+ server also can receive forwards from carrier server, sent by patch server with the authentication arithmetic program of third match messages and the mark of the authentication arithmetic program.Patch server can transfer to manufacturer terminal (OEM) Lai Yunying.

As an alternative embodiment, SM-DP+ server can obtain corresponding all authentication arithmetic programs in the authentication arithmetic program listing and list of all versions from MNO.SM-DP+ server receives the first information that MNO is sent, which includes EID information.SM-DP+ server receives the second information that local profile assistant LPA is sent, which includes eUICC information.SM-DP+ server obtains firmware version information and the ability information of eUICC from eUICC message.SM-DP+ server obtains EID issuer mark and platform/operating system version information from EID message.SM-DP+ server finds corresponding authentication arithmetic program according to above- mentioned information.SM-DP+ server can also identify according to the firmware version information of acquisition, EID issuer, one or more in the ability information of platform/operating system version information and eUICC find corresponding authentication arithmetic program.SM-DP+ can also receive corresponding all authentication arithmetic programs in the authentication arithmetic program listing and list of all versions of MNO transmission in the first information.

As an alternative embodiment, SM-DP+ server also can receive the mark for the authentication arithmetic program that MNO is sent and the length information of authentication arithmetic program；After SM-DP+ server receives the authentication arithmetic program that MNO is sent, may be used also Execute following steps: the mark of SM-DP+ server authentication arithmetic program and the length information of authentication arithmetic program generate the first digital signature；SM-DP+ server sends the 4th information to eUICC by LPA, and the 4th information includes the mark of authentication arithmetic program, the length information of authentication arithmetic program and the first digital signature；SM-DP+ server receives the second digital signature that eUICC is sent by LPA；SM-DP+ server verifies the second digital signature；If SM-DP+ server passes through the second digital signature authentication, executes SM-DP+ server and generate the binding configuration file packet for including the steps that authentication arithmetic program.

By implementing the embodiment, the identity legitimacy of SM-DP+ server and eUICC can be verified, while also the length information of authentication arithmetic program can be informed LPA.LPA that authentication arithmetic program part is accurately sent to eUICC first to be added or install, after having ensured that configuration file is installed and activated, is able to use addition before or the authentication arithmetic program installed to be successfully accessed network.

As an alternative embodiment, SM-DP+ server also can receive the mark for the authentication arithmetic program that MNO is sent and the length information of authentication arithmetic program；Wherein, the length information of the mark in the storage metadata of binding configuration file packet including authentication arithmetic program and authentication arithmetic program.

By implementing the embodiment, the length information of authentication arithmetic program can be informed LPA.LPA that authentication arithmetic program part is accurately sent to eUICC first to be added or install, after having ensured that configuration file is installed and activated, is able to use addition before or the authentication arithmetic program installed to be successfully accessed network.

As a kind of optional embodiment, it include the remote operation type identification that value binds patch and configuration file type for installation in the initial safe channel information of binding configuration file packet, it includes authentication arithmetic program and configuration file in binding configuration file packet that installation binding patch and configuration file type, which are used to indicate,.

As an alternative embodiment, binding configuration file packet further includes that configuration file, authentication arithmetic program and configuration file are encrypted by session key.

Authentication arithmetic program and configuration file are encrypted by using session key, the safety of data transmission can be improved.

As an alternative embodiment, binding configuration file packet further includes configuration file and protection key, authentication arithmetic program and configuration file pass through protection key encryption.

It is encrypted by using protection key pair authentication arithmetic program and configuration file, the safety of data transmission can be improved.

As an alternative embodiment, authentication arithmetic program is encrypted with the first protection key, configuration file passes through the second protection key encryption.Binding configuration file packet further includes the first protection key and the second protection key, and the first protection key and the second protection key are encrypted by session key.Specifically, the second protection key can be configuration file protection key.When SM-DP+ server gets out configuration file, a configuration file protection key can be generated immediately, and with configuration file protection key come encryption configuration file.

First protection key can be authentication arithmetic programmed protection key.Authentication arithmetic program can be encrypted after SM-DP+ server obtains the authentication arithmetic program corresponding to eUICC with authentication arithmetic programmed protection key pair authentication arithmetic program.First protection key is also possible to the second protection key.For example, also being well prepared for corresponding authentication arithmetic program, and encrypted with protection key pair authentication arithmetic program and configuration file when SM-DP+ server gets out configuration file.In such cases, protection key only can be sent to eUICC by LPA before sending configuration file, only can also be sent to eUICC by LPA before sending authentication arithmetic program.Configuration file, authentication arithmetic program, the first protection key and second protect the sequence of key to may is that the first protection key, authentication arithmetic program, the second protection key, configuration file in the binding configuration file packet that SM-DP+ server generates.Optionally, sequentially it is also possible to: the second protection key, configuration file, First protection key, authentication arithmetic program.Above-mentioned four kinds of information can be behind storage metadata fields in the position in binding configuration file packet.

As an alternative embodiment, binding configuration file packet further includes configuration file and protection key, authentication arithmetic program is encrypted by session key, and configuration file passes through protection key encryption.

Authentication arithmetic program is encrypted by session key, and by protecting key pair configuration file to be encrypted, the safety of data transmission can be improved.

As an alternative embodiment, binding configuration file packet further includes configuration file and protection key, authentication arithmetic program is encrypted by protection key encryption, configuration file by session key.

As an alternative embodiment, authentication arithmetic program is the public key encryption of MNO eUICC.

As a kind of optional embodiment, before MNO is using the public key encryption authentication arithmetic program of eUICC, can also carry out following steps: MNO obtains the certificate (CERT.EUICC.ECDSA) of the eUICC of all card vendors' offers when arranging to generate constraint condition (such as EID issuer mark, platform/operating system version information, eUICC firmware version information and UICC ability information etc.) of authentication arithmetic program with card vendor from card vendor.The certificate of the eUICC includes the public key of eUICC.MNO can match the authentication arithmetic program of corresponding version after generating authentication arithmetic program according to the EID information in eUICC certificate.Matched method can be according to the EID issuer mark in EID information the authentication arithmetic program for finding corresponding version.Matched method is also possible to find the authentication arithmetic program of corresponding version according to platform/operating system version information in EID.Matched method be also possible to according in EID EID issuer mark and platform/operating system version information find the authentication arithmetic program of corresponding version.Matched method can be according to the ability information of the firmware version information of EID issuer mark, platform/operating system version information and eUICC in above-mentioned EID or UICC the authentication arithmetic program for finding corresponding version.The firmware version information of the eUICC and the ability information of UICC can be when MNO and card vendor arrange to generate the constraint condition of authentication arithmetic program, be provided by card vendor.In other words, MNO is after generating authentication arithmetic program, can be according to one of EID issuer mark, platform/operating system version information, eUICC firmware version information and UICC ability information or a variety of, to find corresponding authentication arithmetic program.

By the public key encryption authentication arithmetic program of eUICC, the safety of data transmission can be improved.

Optionally, session key and protection key all include encryption key and Integrity Key.Encryption key is for encrypting and decrypting message, and Integrity Key is for generating integrity verification field and verifying integrity verification field.

Second aspect, additionally provide a kind of adding method of authentication arithmetic program, this method comprises: universal embedded integrated circuit card eUICC receives the binding configuration file packet that local profile assistant LPA is sent, binding configuration file packet includes initial safe channel information, store metadata, authentication arithmetic program and configuration file, authentication arithmetic program is corresponding with target information, target information is the firmware version information of eUICC, the universal embedded Integrated Circuit Card Identity EID issuer of eUICC identifies, at least one of platform/operating system version information of eUICC and the ability information of eUICC；Authentication arithmetic program is added in eUICC by eUICC.Optionally, authentication arithmetic program may be present except configuration file or there are within configuration file.

By implementing authentication arithmetic program described in second aspect, eUICC receives the binding configuration file packet including configuration file and eUICC the authentication arithmetic program lacked.To which eUICC is in running configuration file, so that it may carry out identity legitimacy verifying to eUICC using with configuration file together received authentication arithmetic program.Therefore, by implementing authentication arithmetic program described in second aspect, eUICC can add authentication arithmetic program into eUICC in time.

As an alternative embodiment, can also carry out following steps before eUICC receives the initial safe channel information that LPA is sent: eUICC receives the 4th information that SM-DP+ server is sent by LPA, and the 4th information includes that authentication is calculated The mark of method program, the length information of authentication arithmetic program and the first digital signature；EUICC verifies the first digital signature using the mark of authentication arithmetic program, the length information of authentication arithmetic program；If eUICC passes through the first digital signature authentication, eUICC generates the second digital signature with the first digital signature；EUICC sends the second digital signature to SM-DP+ server by LPA.

By implementing the embodiment, the identity legitimacy of SM-DP+ server and eUICC can be verified, while eUICC can also know the mark of authentication arithmetic program.

As an alternative embodiment, the mark of authentication arithmetic program can be also added in eUICC by eUICC after eUICC receives the authentication arithmetic program that LPA is sent.

As an alternative embodiment, including the mark of authentication arithmetic program in storage metadata, the mark of authentication arithmetic program can be also added in eUICC by eUICC.

As a kind of optional embodiment, it include the remote operation type identification that value binds patch and configuration file type for installation in the initial safe channel information of binding configuration file packet, it includes authentication arithmetic program and configuration file in binding configuration file packet that installation binding patch and configuration file type, which are used to indicate,.Optionally, installation binding patch and configuration file type may be used to indicate that the security level of authentication arithmetic program and configuration file.After eUICC receives the initial safe channel information that LPA is sent, the remote operation type identification that the value for including in initial safe channel information is installation binding patch and configuration file type is verified.If to verify the remote operation type identification be the type that one of them is defined, eUICC security level corresponding to the remote operation type handles authentication arithmetic program and configuration file in binding configuration file packet respectively.For example, value is the remote operation type identification expression configuration file of installation binding patch and configuration file type and the security level of authentication arithmetic program is integrity protection and encipherment protection (Message Authentication Code and ENCRYPTION).

As an alternative embodiment, authentication arithmetic program and configuration file are encrypted by session key, after eUICC receives the authentication arithmetic program that LPA is sent, eUICC can be also decrypted authentication arithmetic program by session key；Optionally, after authentication arithmetic program is added to the operation of eUICC by eUICC completion, authentication arithmetic program, which is sent, to LPA adds success message, authentication arithmetic program addition success message can be carried with Application Protocol Data Unit (response APDU) order is replied, and authentication arithmetic program addition success message is used to indicate LPA and sends eUICC for the configuration file part in binding configuration file packet；After eUICC receives the configuration file that LPA is sent, configuration file can be also decrypted by session key.

EUICC can also first receive the configuration file of LPA transmission, and eUICC is decrypted configuration file by session key, and installs configuration file；Optionally, after eUICC completes the installation operation of configuration file, configuration file is sent to LPA, and success message is installed, configuration file installation success message can be carried with Application Protocol Data Unit (response APDU) order is replied, and configuration file installation success message is used to indicate LPA and the authentication arithmetic program in binding configuration file packet is sent to eUICC；EUICC receives the authentication arithmetic program that LPA is sent, and eUICC is decrypted authentication arithmetic program by session key.After the completion of decryption, authentication arithmetic program is added in eUICC by eUICC.In other words, eUICC can first receive the authentication arithmetic program of LPA transmission, the rear configuration file for receiving LPA and sending.EUICC can also first receive the configuration file of LPA transmission, the rear authentication arithmetic program for receiving LPA and sending.The embodiment of the present invention is without limitation.

Authentication arithmetic program and configuration file are encrypted by using session key, the safety of data transmission can be improved, correspondingly, eUICC needs that authentication arithmetic program and configuration file is decrypted by session key.

As an alternative embodiment, authentication arithmetic program and configuration file are by protection key encryption, binding configuration file packet further includes protection key, and protection key is encrypted by session key, and eUICC receives the authentication arithmetic program that LPA is sent Before, it also can receive the protection key that LPA is sent, and protection key be decrypted by session key；It, can also be by protecting key pair authentication arithmetic program to be decrypted after eUICC receives the authentication arithmetic program that LPA is sent；Optionally, after eUICC completes the addition or installation operation of authentication arithmetic program, authentication arithmetic program, which is sent, to LPA adds success message, authentication arithmetic program addition success message can be carried with Application Protocol Data Unit (response APDU) order is replied, and authentication arithmetic program addition success message is used to indicate LPA and sends eUICC for the configuration file part in binding configuration file packet；It, can also be by protecting key pair configuration file to be decrypted after eUICC receives the configuration file that LPA is sent.

EUICC can also first receive the configuration file of LPA transmission, and eUICC installs configuration file by protecting key pair configuration file to be decrypted；Optionally, after eUICC completes the installation operation of configuration file, configuration file is sent to LPA, and success message is installed, configuration file installation success message can be carried with Application Protocol Data Unit (response APDU) order is replied, and configuration file installation success message is used to indicate LPA and the authentication arithmetic program in binding configuration file packet is sent to eUICC；EUICC receives the authentication arithmetic program that LPA is sent, and eUICC is by protecting key pair authentication arithmetic program to be decrypted.After the completion of decryption, authentication arithmetic program is added in eUICC by eUICC.In other words, eUICC can first receive the authentication arithmetic program of LPA transmission, the rear configuration file for receiving LPA and sending.EUICC can also first receive the configuration file of LPA transmission, the rear authentication arithmetic program for receiving LPA and sending.The embodiment of the present invention is without limitation.

As an alternative embodiment, authentication arithmetic program is encrypted with the first protection key, configuration file passes through the second protection key encryption.Binding configuration file packet further includes the first protection key and the second protection key, and the first protection key and the second protection key are encrypted by session key.Before eUICC receives the authentication arithmetic program that LPA is sent, the first protection key that LPA is sent also can receive, and the first protection key is decrypted by session key；After eUICC receives the authentication arithmetic program that LPA is sent, it can also be decrypted by the first protection key pair authentication arithmetic program；After authentication arithmetic program is added to the operation of eUICC by eUICC completion, authentication arithmetic program, which is sent, to LPA adds success message, authentication arithmetic program addition success message can be carried with Application Protocol Data Unit (response APDU) order is replied, and authentication arithmetic program addition success message is used to indicate LPA and sends eUICC for the configuration file part in binding configuration file packet；Before eUICC receives the configuration file that LPA is sent, the second protection key that LPA is sent also can receive, and the second protection key is decrypted by session key；After eUICC receives the configuration file that LPA is sent, it can also be decrypted by the second protection key pair configuration file.EUICC can also first receive configuration file, and the by receiving before receiving configuration file second protection key pair configuration file is decrypted；After receiving configuration file, the first protection key and authentication arithmetic program are successively received, and be decrypted by the first protection key pair authentication arithmetic program.

Specifically, the second protection key can be configuration file protection key.When SM-DP+ server gets out configuration file, a configuration file protection key can be generated immediately, and with configuration file protection key come encryption configuration file.First protection key can be authentication arithmetic programmed protection key.Authentication arithmetic program can be encrypted after SM-DP+ server obtains the authentication arithmetic program corresponding to eUICC with authentication arithmetic programmed protection key pair authentication arithmetic program.First protection key is also possible to the second protection key.For example, also being well prepared for corresponding authentication arithmetic program, and encrypted with protection key pair authentication arithmetic program and configuration file when SM-DP+ server gets out configuration file.In such cases, protection key only can be sent to eUICC by LPA before sending configuration file, only can also be sent to eUICC by LPA before sending authentication arithmetic program.

It is encrypted by using protection key pair authentication arithmetic program and configuration file, the safety of data transmission can be improved, correspondingly, eUICC needs to be decrypted by protection key pair authentication arithmetic program and configuration file.

As an alternative embodiment, authentication arithmetic program is encrypted by session key, configuration file passes through protection key Encryption, binding configuration file packet further include protection key, and protection key is encrypted by session key, before eUICC receives the configuration file that LPA is sent, also can receive the protection key that LPA is sent, and protection key is decrypted by session key；After eUICC receives the authentication arithmetic program that LPA is sent, authentication arithmetic program can be also decrypted by session key；Optionally, after eUICC completes the addition or installation operation of authentication arithmetic program, authentication arithmetic program, which is sent, to LPA adds success message, authentication arithmetic program addition success message can be carried with Application Protocol Data Unit (response APDU) order is replied, and authentication arithmetic program addition success message is used to indicate LPA and sends eUICC for the configuration file part in binding configuration file packet；It, can also be by protecting key pair configuration file to be decrypted after eUICC receives the configuration file that LPA is sent.

EUICC can also first receive the configuration file of LPA transmission, and eUICC installs configuration file by protecting key pair configuration file to be decrypted；Optionally, after eUICC completes the installation operation of configuration file, configuration file is sent to LPA, and success message is installed, configuration file installation success message can be carried with Application Protocol Data Unit (response APDU) order is replied, and configuration file installation success message is used to indicate LPA and the authentication arithmetic program in binding configuration file packet is sent to eUICC；EUICC receives the authentication arithmetic program that LPA is sent, and eUICC is decrypted authentication arithmetic program by session key.After the completion of decryption, authentication arithmetic program is added in eUICC by eUICC.In other words, eUICC can first receive the authentication arithmetic program of LPA transmission, the rear configuration file for receiving LPA and sending.EUICC can also first receive the configuration file of LPA transmission, the rear authentication arithmetic program for receiving LPA and sending.EUICC can receive the protection key that LPA is sent after the authentication arithmetic program for receiving LPA transmission.After receiving protection key, the configuration file that LPA is sent is received.EUICC can also receive the configuration file that LPA is sent after receiving the protection key that LPA is sent.After receiving configuration file, the authentication arithmetic program that LPA is sent is received.EUICC can also receive the authentication arithmetic program that LPA is sent after receiving the protection key that LPA is sent.After receiving authentication arithmetic program, the configuration file that LPA is sent is received.The embodiment of the present invention is without limitation.

Authentication arithmetic program is encrypted by using session key; and it is encrypted using protection key pair configuration file; the safety of data transmission can be improved; correspondingly; eUICC is needed by protecting key session key that authentication arithmetic program is decrypted, and is decrypted using protection key pair configuration file.

As a kind of optional embodiment; authentication arithmetic program passes through protection key encryption; configuration file is encrypted by session key; binding configuration file packet further includes protection key; key is protected to encrypt by session key; after eUICC receives the configuration file that LPA is sent, the protection key that LPA is sent also can receive, and protection key is decrypted by session key；It, can also be by protecting key pair authentication arithmetic program to be decrypted after eUICC receives the authentication arithmetic program that LPA is sent；EUICC can also first receive the protection key of LPA transmission, and protection key is decrypted by session key.After the completion of decryption, eUICC receives the authentication arithmetic program that LPA is sent, and authentication arithmetic program is added in eUICC；After authentication arithmetic program is added to the operation of eUICC by eUICC completion, authentication arithmetic program, which is sent, to LPA adds success message, configuration file installation success message can be carried with Application Protocol Data Unit (response APDU) order is replied, and authentication arithmetic program addition success message is used to indicate LPA and the configuration file in binding configuration file packet is sent to eUICC；EUICC receives the configuration file that LPA is sent, and eUICC is decrypted configuration file by session key.After the completion of decryption, eUICC installs configuration file.In other words, eUICC can first receive the protection key of LPA transmission, receive the authentication arithmetic program that LPA is sent later, finally, receiving the configuration file that LPA is sent.EUICC can also first receive the configuration file of LPA transmission, receive the protection key that LPA is sent later, finally, receiving the authentication arithmetic program that LPA is sent.

As an alternative embodiment, authentication arithmetic program is the public key encryption of MNO eUICC, eUICC is also Authentication arithmetic program can be decrypted by the private key of eUICC.

By the public key encryption authentication arithmetic program of eUICC, the safety of data transmission can be improved, correspondingly, eUICC needs that authentication arithmetic program is decrypted by the private key of eUICC.

As an alternative embodiment, eUICC deletes authentication arithmetic program if eUICC deletes configuration file.

If the privately owned authentication arithmetic that authentication arithmetic program is some operator is realized, if the configuration file of corresponding authentication arithmetic program is deleted, the chance that the corresponding authentication arithmetic program of configuration file is not called temporarily.If therefore eUICC deletes configuration file, eUICC deletes authentication arithmetic program corresponding with configuration file, is conducive to save memory space.Specifically, eUICC can establish the mapping relations between the authentication arithmetic program and the configuration file in the authentication arithmetic program and configuration file of judgement addition or installation in a binding configuration file Bao Zhonghou.After eUICC judges that the configuration file is deleted, corresponding authentication arithmetic program can be deleted according to the mapping relations established before.

As an alternative embodiment, can also carry out following steps after authentication arithmetic program is added in eUICC by eUICC: eUICC receives the activation profiles order that LPA is sent, and eUICC activation profiles are specified in activation profiles order；EUICC determines corresponding authentication arithmetic program according to the mark of the authentication arithmetic program in configuration file；The network insertion application parameter of eUICC configuration file configures authentication arithmetic program.EUI CC authentication arithmetic program and network carry out bi-directional authentification.

Optionally, the mark for the configuration file in binding configuration file packet downloaded before including in the activation profiles order.EUICC reads the mark of the authentication arithmetic program in configuration file to determine corresponding authentication arithmetic program.Authentication arithmetic program identification can store the file system portion in configuration file.Authentication arithmetic program for it before download binding configuration file packet included in authentication arithmetic program.EUICC obtains the authentication arithmetic program in binding configuration file packet, and installs or be added to the authentication arithmetic in telecommunication frame for authentication arithmetic program and realize in data acquisition system.Can there are more set authentication arithmetic programs, the corresponding unique authentication arithmetic program identification of every set authentication arithmetic program in eUICC.Therefore, the authentication arithmetic program added before eUICC is determined according to the authentication arithmetic program identification in configuration file.After eUICC determines authentication arithmetic program, the network insertion application parameter of eUICC configuration file configures authentication arithmetic program.After the completion of network application parameter configuration, eUICC carries out bi-directional authentification using authentication arithmetic program and network.After authenticating successfully, the affiliated terminal of eUICC can access network.Here network can be the mobile management entity (Mobility Management Entity) of network side, be also possible to Authentication Center.

By implementing the embodiment, when running configuration file is registered, so that it may directly carry out identity legitimacy verifying to network entity using the authentication arithmetic program for being in same binding configuration file packet with configuration file.

As an alternative embodiment, eUICC receives the initial safe channel information in the binding configuration file packet that the binding configuration file packet that LPA is sent may include: eUICC reception LPA transmission；EUICC receives the storage metadata in the binding configuration file packet that LPA is sent；EUICC receives the authentication arithmetic program in the binding configuration file packet that LPA is sent；EUICC is sent to LPA is used to indicate the message that the addition of authentication arithmetic program is completed；EUICC receives the configuration file in the binding configuration file packet that LPA is sent.

Optionally, after eUICC receives initial safe channel information and storage metadata, eUICC can also first receive the configuration file in the binding configuration file packet of LPA transmission；EUICC is sent to LPA is used to indicate the message that configuration file addition is completed；EUICC receives the authentication arithmetic program in the binding configuration file packet that LPA is sent.

Specifically, the authentication arithmetic program that eUICC can be sent by the ES10d interface between LPADd in the LPA services and LPA in ISD-R to LPA.EUICC is used to indicate authentication arithmetic to LPA transmission by ES10d interface Realize the message that data addition is completed or is installed, this is used to indicate the message that the addition of authentication arithmetic program is completed and can be carried with Application Protocol Data Unit (response APDU) order is replied.After eUICC is used to indicate the message that the addition of authentication arithmetic program is completed to LPA transmission, the configuration file in the binding configuration file packet that LPA passes through the ES10b interface transmission between LPDd and LPA services is received.Optionally, the configuration file that eUICC can also be sent by ES10b interface LPA, and after receiving configuration file, pass through the authentication arithmetic program of ES10d interface LPA transmission.

The third aspect additionally provides a kind of adding method of authentication arithmetic program, this method comprises: local profile assistant LPA receives the 5th information that signing management-data preparation SM-DP+ server is sent；LPA sends universal embedded integrated circuit card eUICC for the authentication arithmetic program in binding configuration file packet according to the 5th information, the authentication arithmetic program is corresponding with target information, which is at least one of universal embedded Integrated Circuit Card Identity EID issuer mark, platform/operating system version information of eUICC and the ability information of eUICC of the firmware version information of eUICC, eUICC；LPA receives the message for being used to indicate the addition of authentication arithmetic program and completing that eUICC is sent；Configuration file in binding configuration file packet is sent to eUICC by LPA.Optionally, LPA can first send the configuration file in binding configuration file packet to eUICC；LPA receive eUICC transmission be used to indicate the message that configuration file is installed after, the authentication arithmetic program in binding configuration file packet is sent to by eUICC according to the 5th information.

Specifically, LPA can send eUICC for authentication arithmetic program by the ES10d interface between the LPA services in the ISD-R of LPADd and eUICC.The message for being used to indicate the addition of authentication arithmetic program and completing or being installed that LPA is sent by ES10d interface eUICC.Being used to indicate the message that the addition of authentication arithmetic program is completed can be carried with Application Protocol Data Unit (response APDU) order is replied.LPA receive eUICC transmission be used to indicate authentication arithmetic program addition complete message after, the configuration file in the binding configuration file packet is sent to eUICC by the ES10b interface between LPDd and LPA services by LPA.ES10b the and ES10d interface can be used for first sending configuration file, rear to send authentication arithmetic program.

By implementing authentication arithmetic program described in the third aspect, LPA accurately can determine that authentication arithmetic program is sent to eUICC from binding configuration file packet.To which eUICC can add authentication arithmetic program into eUICC in time.

As an alternative embodiment, the 5th information be authentication arithmetic program length information or the 5th information be binding configuration file packet encryption segment data label information.

By implementing the embodiment, LPA accurately can determine that authentication arithmetic program is sent to eUICC from binding configuration file packet.

As an alternative embodiment, the length information of authentication arithmetic program is included in the storage metadata of binding configuration file packet.

Fourth aspect, additionally provide a kind of adding method of authentication arithmetic program, this method comprises: user terminal receives the binding configuration file packet that signing management-data preparation SM-DP+ server is sent by local profile assistant LPA, the binding configuration file packet includes authentication arithmetic program, authentication arithmetic program is corresponding with target information, the target information is the firmware version information of universal embedded integrated circuit card eUICC, the universal embedded Integrated Circuit Card Identity EID issuer of eUICC identifies, at least one of platform/operating system version information of eUICC and the ability information of eUICC；Authentication arithmetic program is added in eUICC by user terminal by LPA.

By implementing authentication arithmetic program described in fourth aspect, user terminal can receive the binding configuration file packet including configuration file and eUICC the authentication arithmetic program lacked.To which eUICC is in running configuration file, so that it may carry out identity legitimacy verifying to eUICC using with configuration file together received authentication arithmetic program.Therefore, it is retouched by implementing fourth aspect The authentication arithmetic program stated, user terminal can add authentication arithmetic program into eUICC in time.

5th aspect, additionally provides a kind of SM-DP+ server, which has the function of realizing SM-DP+ server behavior in above-mentioned first aspect or the possible implementation of first aspect.The function can also execute corresponding software realization by hardware realization by hardware.The hardware or software include one or more units corresponding with above-mentioned function.The unit can be software and/or hardware.Based on the same inventive concept, the principle and beneficial effect solved the problems, such as due to the SM-DP+ server may refer to each possible method implementation and brought beneficial effect of above-mentioned first aspect and first aspect, the implementation of the SM-DP+ server may refer to each possible method implementation of above-mentioned first aspect and first aspect, and overlaps will not be repeated.

6th aspect, additionally provides a kind of eUICC, which has the function of the above-mentioned second aspect of realization, eUICC behavior in the possible implementation of second aspect.The function can also execute corresponding software realization by hardware realization by hardware.The hardware or software include one or more units corresponding with above-mentioned function.The unit can be software and/or hardware.Based on the same inventive concept, since the eUICC principle solved the problems, such as and beneficial effect may refer to the possible embodiment of above-mentioned second aspect, second aspect and brought beneficial effect, the implementation of the eUICC may refer to the possible embodiment of above-mentioned second aspect, second aspect, and overlaps will not be repeated.

7th aspect, additionally provides a kind of LPA, which has the function of realizing LPA behavior in the above-mentioned third aspect or the possible implementation of the third aspect.The function can also execute corresponding software realization by hardware realization by hardware.The hardware or software include one or more units corresponding with above-mentioned function.The unit can be software and/or hardware.Based on the same inventive concept, since the LPA principle solved the problems, such as and beneficial effect may refer to each possible method implementation and brought beneficial effect of the above-mentioned third aspect and the third aspect, the implementation of the LPA may refer to each possible method implementation of the above-mentioned third aspect and the third aspect, and overlaps will not be repeated.

Eighth aspect additionally provides a kind of user terminal, which has the function of realizing user terminal behavior in above-mentioned fourth aspect or the possible implementation of fourth aspect.The function can also execute corresponding software realization by hardware realization by hardware.The hardware or software include one or more units corresponding with above-mentioned function.The unit can be software and/or hardware.Based on the same inventive concept, the principle and beneficial effect solved the problems, such as due to the user terminal may refer to each possible method implementation and brought beneficial effect of above-mentioned fourth aspect and fourth aspect, the implementation of the user terminal may refer to each possible method implementation of above-mentioned fourth aspect and fourth aspect, and overlaps will not be repeated.

9th aspect, provides a kind of SM-DP+ server, which includes: processor, memory, communication interface and one or more programs；Processor, communication interface are connected with memory；Wherein, one or more programs are stored in memory, the processor calls the program being stored in the memory to realize the scheme in above-mentioned first aspect or the possible embodiment of first aspect, the embodiment and beneficial effect that the SM-DP+ server solves the problems, such as may refer to above-mentioned first aspect and the possible embodiment of first aspect and beneficial effect, and overlaps will not be repeated.

Tenth aspect, provides a kind of eUICC, which includes: processor, memory, communication interface and one or more programs；Processor, communication interface are connected with memory；Wherein, one or more programs are stored in memory, the processor calls the program being stored in the memory to realize the scheme in the possible embodiment of above-mentioned second aspect, second aspect, the embodiment and beneficial effect that the eUICC is solved the problems, such as may refer to the possible embodiment of above-mentioned second aspect, second aspect and beneficial effect, and overlaps will not be repeated.

On the one hand tenth, provides a kind of LPA, which includes: processor, memory, communication interface and one or more programs；Processor, communication interface are connected with memory；Wherein, one or more programs are stored in memory, The processor calls the program being stored in the memory to realize the scheme in the above-mentioned third aspect or the possible embodiment of the third aspect, the embodiment and beneficial effect that the LPA is solved the problems, such as may refer to the above-mentioned third aspect and the possible embodiment of the third aspect and beneficial effect, and overlaps will not be repeated.

12nd aspect, provide a kind of user terminal, the user terminal includes: local profile assistant LPA, communication module and universal embedded integrated circuit card eUICC, wherein: LPA, the binding configuration file packet sent for receiving signing management-data preparation SM-DP+ server, the binding configuration file packet includes authentication arithmetic program, the authentication arithmetic program is corresponding with target information, the target information is the firmware version information of eUICC, the universal embedded Integrated Circuit Card Identity EID issuer of eUICC identifies, at least one of platform/operating system version information of eUICC and the ability information of eUICC；LPA is also used to that authentication arithmetic program is added in eUICC by communication module.

13rd aspect, provides a kind of add-on system of authentication arithmetic program, which includes: SM-DP+ server described in the 5th aspect, LPA described in eUICC, the 7th aspect described in the 6th aspect.The embodiment and beneficial effect that the system solves the problems, such as may refer to above-mentioned 5th aspect~the 7th aspect embodiment and beneficial effect, and overlaps will not be repeated.

Fourteenth aspect, provides a kind of add-on system of authentication arithmetic program, which includes: SM-DP+ server described in the 5th aspect, user terminal described in eighth aspect.The embodiment and beneficial effect that the system solves the problems, such as may refer to the embodiment and beneficial effect of above-mentioned 5th aspect and eighth aspect, and overlaps will not be repeated.

Detailed description of the invention

To describe the technical solutions in the embodiments of the present invention more clearly, the drawings to be used in the embodiments are briefly described below, apparently, drawings in the following description are only some embodiments of the invention, for those of ordinary skill in the art, without creative efforts, it is also possible to obtain other drawings based on these drawings.

Fig. 1 is a kind of schematic diagram of system architecture provided in an embodiment of the present invention；

Fig. 2 is a kind of architecture diagram of eUICC software view provided in an embodiment of the present invention；

Fig. 3~Fig. 5 is the flow diagram of the adding method of authentication arithmetic program provided in an embodiment of the present invention；

Fig. 6~Figure 10 is the flow diagram that LPA provided in an embodiment of the present invention sends binding configuration file packet to eUICC；

Figure 11~Figure 13 is the flow diagram of the adding method of authentication arithmetic program provided in an embodiment of the present invention；

Figure 14 is a kind of structural schematic diagram of binding configuration file packet provided in an embodiment of the present invention；

Figure 15 is the flow diagram of the adding method of another authentication arithmetic program provided in an embodiment of the present invention；

Figure 16 is the structural schematic diagram of another binding configuration file packet provided in an embodiment of the present invention；

Figure 17 is the flow diagram of the adding method of another authentication arithmetic program provided in an embodiment of the present invention；

Figure 18 is the structural schematic diagram of another binding configuration file packet provided in an embodiment of the present invention；

Figure 19 is a kind of structural schematic diagram of SM-DP+ server provided in an embodiment of the present invention；

Figure 20 is the structural schematic diagram of eUICC provided in an embodiment of the present invention a kind of；

Figure 21 is a kind of structural schematic diagram of user terminal provided in an embodiment of the present invention；

Figure 22 is the structural schematic diagram of another kind SM-DP+ server provided in an embodiment of the present invention；

Figure 23 is the structural schematic diagram of another eUICC provided in an embodiment of the present invention；

Figure 24 is the structural schematic diagram of LPA provided in an embodiment of the present invention a kind of；

Figure 25 is the structural schematic diagram of another user terminal provided in an embodiment of the present invention.

Specific embodiment

To make the objectives, technical solutions, and advantages of the present invention clearer, it is described below in conjunction with technical solution of the attached drawing to the embodiment of the present invention.

Embodiment to facilitate the understanding of the present invention is below first introduced system architecture provided in an embodiment of the present invention, eUICC software architecture.

Fig. 1 is a kind of system architecture diagram provided in an embodiment of the present invention.As shown in Figure 1, including user terminal, SM-DP+ server and Mobile Network Operator (Mobile Network Operator, MNO) in the system architecture.

Wherein, user terminal may include cell phone, tablet computer, personal digital assistant (Personal Digital Assistant, PDA), TV, mobile unit, machine to machine equipment (Machine to Machine, M2M), mobile internet device (Mobile Internet Device, MID), intelligent wearable device (such as smartwatch, Intelligent bracelet) each class of electronic devices.EUICC and local profile assistant (Local Profile Assistant, LPA) are provided in user terminal, wherein LPA can be deployed in terminal, independently be disposed with eUICC, or can also be deployed in eUICC.Fig. 1 is by taking LPA and eUICC are independently disposed as an example.

Optionally, LPA may include local profile downloading (Local Profile Download, LPD) module, local user interface (Local User Interface, LUI) module and local discovery service (Local Discovery Service, LDS) module.In general, LPA undertakes the effect interacted between user terminal and eUICC inside user terminal, LPD module is mainly responsible for signed instrument downloading, and LDS module is mainly responsible for service discovering, and LUI module provides the interface UI for user.User can manage the configuration file downloaded on eUICC by LPA, such as activated, deactivated to configuration file, deleting operation.

SM-DP+ server produces configuration file, and configuration file is downloaded to eUICC to specified eUICC by associated configuration file.

Fig. 2 is a kind of architecture diagram of eUICC software view provided in an embodiment of the present invention.As shown in Figure 2, eUICC includes configuration file, LPAe (LPA in eUICC, LPA in eUICC), issuer security domain-root (Issuer Security Domain Root, ISD-R), eUICC control authority security domain (eUICC Controlling Authority Security Domain, ECASD).Optionally, eUICC may also include issuer security domain-operating system update (Issuer Security Domain OS update, ISD-OD), the part operating system (Operating System, OS).Wherein, LPAe, ISD-R, ECASD and ISD-OD also may belong to operating system part.ISD-R includes LPA service (LPA Services).Configuration file includes the part issuer security domain-signing information collection (Issuer Security Domain Profile, ISD-P), NAAs (Network Access Applications, network insertion application) and file system etc..Optionally, configuration file may also include authentication arithmetic program.Optionally, when in configuration file including authentication arithmetic program, eUICC may not include ISD-OD.The part OS includes operating system patch interpreter (OS patch interpreter), profile rules starter (profile policy enabler), configuration file packet interpreter (Profile Package Interpreter) and telecommunication frame (Telecom Framework).Wherein, telecommunication frame includes authentication arithmetic program.

As shown in Figure 2.LPA service in ISD-R and LPAd (LPA in the device, the LPA in equipment) remain 4 interfaces, i.e. ES10a, b, c, d.ES10a is used to the processing configuration file discovery between LDSd (Local Discovery Service in the device, local discovery service) in equipment and LPA service.ES10b is used in LPDd (Local Profile Download in the device, local profile downloading) in equipment and transmitting binding between LPA services Configuration file packet is to eUICC.ES10c is used to realize the local profile management of user between LUId (Local User Interface in the device, local user interface) in equipment and LPA services.ES10d is used to the LPADd (Local Patch Download in the device, the local patch downloading in equipment) in LPA with transmitting operating system update packet between LPA service to eUICC, and update is wrapped and is cached to ISD-OD.Operating system patch interpreter in operating system is used to operating system patch packet is translated into the operating system patch file after installation according to some operating system patch packet specification.Operating system patch interpreter can also be used to cache the operating system update packet received from LPADd.Wherein, ES10d interface can also be not specifically limited with other name nominatings, the present embodiment.

It wherein, include authentication parameter, a unique IMSI (signatory mark), position data etc. in NAA.It include authentication arithmetic program in telecommunication frame.It needs to carry out network authentication during configuration file is registered to network by eUICC.It needs to authenticate corresponding (SRES) using authentication arithmetic Program Generating during network authentication, deduces encryption key and Integrity Key, to be used to verify network entity or UICC legitimacy.However in practice, it has been found that needing the corresponding authentication arithmetic program of authentication arithmetic to be used due to that may lack in eUICC, eUICC cannot successfully pass through configuration file access carrier network.

In order to which the corresponding authentication arithmetic program of the authentication arithmetic lacked in eUICC to be added in eUICC, the embodiment of the invention provides adding method, relevant device and the systems of a kind of authentication arithmetic program.

Fig. 3 is referred to, Fig. 3 is a kind of flow diagram of the adding method of authentication arithmetic program provided in an embodiment of the present invention.As shown in figure 3, the adding method of the authentication arithmetic program may include 301~305 parts.Wherein:

301, MNO sends authentication arithmetic program to SM-DP+ server.

Wherein, authentication arithmetic program is corresponding with target information, target information is at least one of EID (eUICC-ID, universal embedded Integrated Circuit Card Identity) issuer mark, platform/operating system version information of eUICC and the ability information of eUICC of the firmware version information of eUICC, eUICC.

Optionally, authentication arithmetic program is for being added in the authentication arithmetic collection of programs of eUICC.Optionally, authentication arithmetic collection of programs can be in the telecommunication frame of eUICC.

Optionally, MNO can generate the authentication arithmetic program of different editions at least one of different firmware version informations, EID issuer mark, the ability information of platform/operating system version information and eUICC, and a list (exemplary construction is as shown in table 1) is established, which includes mark (or version of authentication arithmetic program), corresponding firmware version information, the EID issuer mark, the ability information of platform/operating system version information and eUICC of the authentication arithmetic program of different editions.Optionally, which can also be established by card vendor.Such as, operator and card vendor negotiate the authentication arithmetic for needing to realize and the environment for carrying authentication arithmetic or condition (such as, the firmware version information of eUICC, EID issuer mark, the ability information of platform/operating system version information of eUICC and the eUICC, either one of those or several), the realization of authentication arithmetic is transferred to card vendor to do by operator, after the completion of card vendor's exploitation, all authentication arithmetic programs corresponding in the authentication arithmetic program listing and list of all versions are given to operator.Or, card vendor can by the authentication arithmetic program listing and list of all versions to all authentication arithmetic programs be stored in a patch server, and the interface of patch server and carrier server is established, MNO can be to the corresponding authentication arithmetic program of patch server request target information.

Table 1

Such as, eUICC1 if it exists, lack the authentication arithmetic program that the MNO is supported in eUICC1, the EID issuer of eUICC1 is identified as G&D, firmware version information is 852321, platform/operating system version information is V4.0.1, the ability information of eUICC is ability information 1, then MNO finds the GD_01 that is identified as of corresponding authentication arithmetic program according to the ability information of the EID issuer mark of eUICC1, firmware version information, platform/operating system version information, eUICC in lists, and MNO sends the authentication arithmetic program of GD_01 version to SM-DP+ server.And the binding configuration file packet of the authentication arithmetic program including GD_01 version is generated by SM-DP+ server, the binding configuration file packet is then sent into eUICC1 by LPA.The authentication arithmetic program of GD_01 version is added in eUICC1 by eUICC1 again.Corresponding relationship in above-mentioned table is an example, and optionally, the mark of authentication arithmetic program can also be corresponding with one in table or any several information.For example, the mark of authentication arithmetic program can be only corresponding with EID issuer mark, the mark of authentication arithmetic program can also be identified with EID issuer and the two information of firmware version information are corresponding, and the embodiment of the present invention is without limitation.

302, SM-DP+ server generates the binding configuration file packet including the authentication arithmetic program.

In the embodiment of the present invention, after SM-DP+ server receives the authentication arithmetic program that MNO is sent, the binding configuration file packet including the authentication arithmetic program is generated.Optionally, which further includes configuration file, that is to say, that the authentication arithmetic program that eUICC lacks can be downloaded during download configuration file.Therefore, when binding configuration file packet further includes configuration file, authentication arithmetic program can be downloaded to eUICC more in time, optionally, the authentication arithmetic program can be in configuration file or the authentication arithmetic program can be at except configuration file, and the embodiment of the present invention is without limitation.

303, SM-DP+ server sends the binding configuration file packet to LPA.

In the embodiment of the present invention, after SM-DP+ server generates the binding configuration file packet including the authentication arithmetic program, SM-DP+ server sends binding configuration file packet to LPA, to send binding configuration file packet into eUICC by LPA.

304, LPA sends binding configuration file packet to eUICC.

305, authentication arithmetic program is added in eUICC by eUICC.

In the embodiment of the present invention, after i.e. eUICC receives authentication arithmetic program, authentication arithmetic program is added in eUICC for being added in eUICC for authentication arithmetic program.Specifically, authentication arithmetic program can be added in the authentication arithmetic collection of programs of eUICC, which can realize in telecommunication frame (Telecom Framework).

By authentication arithmetic program described in implementing Fig. 3, MNO can send the corresponding authentication arithmetic program of authentication arithmetic lacked in eUICC to SM-DP+ server.After SM-DP+ server receives the authentication arithmetic program that MNO is sent, the binding configuration file packet including authentication arithmetic program is produced, and the binding configuration file packet is sent to eUICC by LPA.And then the authentication arithmetic program in binding configuration file packet can be added in eUICC by eUICC.As it can be seen that by authentication arithmetic program described in implementing Fig. 3, eUICC can add the corresponding authentication arithmetic program of authentication arithmetic into eUICC in time.

As an alternative embodiment, for example, target information includes the firmware version information of eUICC.During the contract of user terminal and MNO server is signed, MNO server can receive the firmware version information of eUICC.After the firmware version information that MNO server receives eUICC, corresponding authentication is found according to the firmware version information for receiving eUICC Algorithm routine.

For another example, target information includes the EID issuer mark of eUICC.During the contract of user terminal and MNO server is signed, MNO server can receive the EID that LPA is sent.After MNO server receives EID, EID issuer mark is obtained from EID.MNO finds corresponding authentication arithmetic program according to EID issuer mark.

For another example, target information includes platform/operating system version information.During the contract of user terminal and MNO server is signed, MNO server can receive the EID that LPA is sent.After MNO server receives EID, platform/operating system version information is obtained from EID.MNO finds corresponding authentication arithmetic program according to platform/operating system version information.

For another example, target information includes EID issuer mark and platform/operating system version information.During the contract of user terminal and MNO server is signed, MNO server can receive the EID that LPA is sent.After MNO server receives EID, the EID issuer mark and platform/operating system version information of eUICC are obtained from EID.MNO is identified according to EID issuer and platform/operating system version information finds corresponding authentication arithmetic program.

For another example, target information includes the ability information of eUICC.During the contract of user terminal and MNO server is signed, MNO server can receive the ability information of eUICC.After the ability information that MNO server receives eUICC, corresponding authentication arithmetic program is found according to the ability information for meeting eUICC.

For another example, target information includes platform/operating system version information of EID the issuer mark and eUICC of the firmware version information of eUICC, eUICC.During the contract of user terminal and MNO are signed, MNO can receive the firmware version information and EID that LPA is sent.MNO is received after EID, EID issuer mark and platform/operating system version information are obtained from EID, and based on the received firmware version information, EID issuer mark, platform/operating system version information, corresponding authentication arithmetic program is found, and sends authentication arithmetic program to SM-DP+ server.

For another example, as shown in figure 4, when target information includes the ability information of the firmware version information of eUICC, the EID issuer mark of eUICC, platform/operating system version information of eUICC and eUICC.During the contract of user terminal and MNO server is signed, MNO server can receive the ability information of the firmware version information of LPA transmission, EID and eUICC.MNO server receives after EID, EID issuer mark and platform/operating system version information are obtained from EID, and based on the received firmware version information, EID issuer mark, platform/operating system version information and eUICC ability information, corresponding authentication arithmetic program is found, and sends authentication arithmetic program to SM-DP+ server.In other words, target information may include one of EID issuer mark, platform/operating system version information, eUICC firmware version information and UICC ability information or a variety of, after MNO server receives target information, corresponding authentication arithmetic program is found according to target information.Optionally, MNO server can be by download command (DownloadOrder) transmission authentication arithmetic program to SM-DP+ server, or can pass through confirmation order (ConfirmOrder) and send authentication arithmetic program to SM-DP+ server.

By implementing the embodiment, authentication arithmetic program can be sent to eUICC from the MNO actively authentication arithmetic program that lack into SM-DP+ server push eUICC, and then after SM-DP+ server receives authentication arithmetic program by LPA and be added.

Optionally, user terminal with MNO server during being contracted, after reporting EID or other match informations (such as ability information of firmware version information and eUICC), MNO server searches corresponding authentication arithmetic program, and in the download command (DownloadOrder) sent to SM-DP+ server, carry configuration file message (ProfileType).Configuration file message is used to indicate the type of SM-DP+ service implement body generation or matched configuration file.The differentiation of configuration file type can be depending on the data contained in configuration file, for example, configuration file type The type that message 1 is used to indicate configuration file is the configuration file containing authentication arithmetic program, and the type that configuration file message 2 is used to indicate configuration file is the configuration file without authentication arithmetic program.Or, the differentiation of configuration file type can also be depending on the mark of the different authentication arithmetic programs contained in configuration file, such as, configuration file message 1 indicates that the configuration file type containing authentication arithmetic program identification GD_01, configuration file message 2 indicate the configuration file type containing authentication arithmetic program identification GTO_01.Optionally, MNO server can also carry two configuration file message in download command, the type that one configuration file message is used to indicate configuration file is the configuration file containing authentication arithmetic program, and the type that another configuration file message is used to indicate configuration file is the configuration file containing authentication arithmetic program identification GTO_01.Or, MNO server can also carry two configuration file message in download command, the type that one configuration file message is used to indicate configuration file is the configuration file without containing authentication arithmetic program, and the type that another configuration file message is used to indicate configuration file is the configuration file without containing authentication arithmetic program identification GTO_01.

Optionally, during the contract of user terminal and MNO server is signed, EID information, the activation code (Actication code) of also commercially available some corresponding configuration file are not reported.The authentication arithmetic program of different editions can be arranged respectively in the configuration file of different sets by MNO server when Mass production corresponds to the configuration file of activation code.User terminal is when buying activation code, operator can require user terminal to provide match information, and match information may be at least one of EID issuer mark, platform/operating system version information of eUICC and the ability information of eUICC of the firmware version information of eUICC, eUICC.The match information that MNO server obtains from from user terminal indicates that the configuration file of the authentication arithmetic program comprising respective version is packaged by SM-DP+ server, and is sent in the eUICC of the user terminal.The method that wherein SM-DP+ obtains authentication arithmetic program can be, MNO server is sent to SM-DP+ server after the corresponding authentication arithmetic program of authentication arithmetic for generating different editions, by authentication arithmetic program corresponding to corresponding required authentication arithmetic of the list together with all versions of the authentication arithmetic program of different editions.

As an alternative embodiment, for example, MNO, SM-DP+ server and LPA can also carry out following steps when target information includes the firmware version information of eUICC: LPA sends the second information to SM-DP+ server, which includes eUICC information；After SM-DP+ server receives the second information, firmware version information is obtained from eUICC message；SM-DP+ server sends third information to MNO, which includes firmware version information；MNO searches corresponding authentication arithmetic program according to the third information.To which the authentication arithmetic program found is sent to SM-DP+ server by MNO.

For another example, when target information includes the EID issuer mark of eUICC, MNO, SM-DP+ server and LPA can also carry out following steps: MNO sends the first information to SM-DP+ server, which includes EID information；After SM-DP+ server receives the first information, EID issuer mark is obtained from EID message；SM-DP+ server sends third information to MNO, which includes EID issuer mark；MNO searches corresponding authentication arithmetic program according to the third information.To which the authentication arithmetic program found is sent to SM-DP+ server by MNO.

For another example, when target information includes platform/operating system version information of eUICC, MNO, SM-DP+ server and LPA can also carry out following steps: MNO sends the first information to SM-DP+ server, which includes EID information；After SM-DP+ server receives the first information, platform/operating system version information of eUICC is obtained from EID message；SM-DP+ server sends third information to MNO, which includes platform/operating system version information of eUICC；MNO searches corresponding authentication arithmetic program according to the third information.To which the authentication arithmetic program found is sent to SM-DP+ server by MNO.

For another example, when information includes the EID issuer mark and platform/operating system version information of eUICC, MNO, SM-DP+ server and LPA can also carry out following steps: MNO sends first message to SM-DP+ server, which includes EID information；After SM-DP+ server receives the first information, the EID issuer mark and platform/operating system version information of eUICC are obtained from EID message；SM-DP+ server sends third information to MNO, which includes the EID issuer mark and platform/operating system version information of eUICC；MNO searches corresponding authentication arithmetic program according to the third information.To which the authentication arithmetic program found is sent to SM-DP+ server by MNO.

For example, MNO, SM-DP+ server and LPA can also carry out following steps when target information includes the ability information of eUICC: LPA sends the second information to SM-DP+ server, which includes eUICC information；After SM-DP+ server receives the second information, the ability information of eUICC is obtained from eUICC message；SM-DP+ server sends third information to MNO, which includes the ability information of eUICC；MNO searches corresponding authentication arithmetic program according to the third information.To which the authentication arithmetic program found is sent to SM-DP+ server by MNO.

For another example, when target information includes platform/operating system version information of the firmware version information of eUICC, the EID issuer mark of eUICC and eUICC, MNO, SM-DP+ server and LPA can also carry out following steps: MNO sends the first information to SM-DP+ server, which includes EID information；LPA sends the second information to SM-DP+ server, which includes eUICC information；After SM-DP+ server receives the first information and the second information, firmware version information is obtained from eUICC message, and EID issuer mark and platform/operating system version information are obtained from EID message；SM-DP+ server sends third information to MNO, which includes firmware version information, EID issuer mark, platform/operating system version information；MNO searches corresponding authentication arithmetic program according to third information.To which the authentication arithmetic program found is sent to SM-DP+ server by MNO.

For another example, when target information includes the ability information of the firmware version information of eUICC, the EID issuer mark of eUICC, platform/operating system version information of eUICC and eUICC, as shown in Figure 5, MNO, SM-DP+ server and LPA can also carry out following steps: MNO sends the first information to SM-DP+ server, which includes EID information；LPA sends the second information to SM-DP+ server, which includes eUICC information；After SM-DP+ server receives the first information and the second information, the ability information of firmware version information and eUICC is obtained from eUICC message, and EID issuer mark and platform/operating system version information are obtained from EID message；SM-DP+ server sends third information to MNO, which includes firmware version information, EID issuer mark, the ability information of platform/operating system version information and eUICC；MNO searches corresponding authentication arithmetic program according to third information.To which the authentication arithmetic program found is sent to SM-DP+ server by MNO.In other words, SM-DP+ server is sent in third information to MNO, it may include one of EID issuer mark, platform/operating system version information, eUICC firmware version information and UICC ability information or a variety of, MNO searches corresponding authentication arithmetic program according to third information.To which the authentication arithmetic program found is sent to SM-DP+ server by MNO.

Optionally, which can be download command (DownloadOrder) or confirmation order (ConfirmOrder).Optionally, third information can be processing downloading process information.

By implementing the embodiment, the authentication arithmetic program that can be actively lacked from SM-DP+ server into MNO request eUICC, and then after SM-DP+ server receives authentication arithmetic program, authentication arithmetic program can be sent to eUICC by LPA and be added.

Optionally, operator and card vendor negotiate the authentication arithmetic for needing to realize and the environment for carrying authentication arithmetic or condition (such as, the firmware version information of eUICC, EID issuer mark, the ability information of platform/operating system version information of eUICC and the eUICC, either one of those or several), the realization of authentication arithmetic is transferred to card by operator Quotient does, and after the completion of card vendor's exploitation, gives all authentication arithmetic programs corresponding in the authentication arithmetic program listing and list of all versions to operator.Optionally, card vendor can by the authentication arithmetic program listing and list of all versions to all authentication arithmetic programs be stored in a patch server, and establish the interface of patch server and carrier server.When SM-DP+ server sends carrier server for third message by handling downloading process information (HandleDownloadProgressInfo), third message can be transmitted to the patch server by the interface with the patch server by carrier server.Patch server according to received in third message information (such as, the firmware version information of eUICC, EID issuer mark, the ability information of platform/operating system version information of eUICC and the eUICC, either one of those or several) matched authentication arithmetic program is found, and the authentication arithmetic program is sent to carrier server.The authentication arithmetic program received is sent to SM-DP+ server by carrier server.Optionally, SM-DP+ server also can receive forwards from carrier server, sent by patch server with the authentication arithmetic program of third match messages and the mark of the authentication arithmetic program.

As an alternative embodiment, further including authentication arithmetic program addition mark in the first information, authentication arithmetic program addition mark is used to indicate SM-DP+ server after obtaining target information, requests authentication arithmetic program to MNO.For example, authentication arithmetic program addition mark is used to indicate SM-DP+ server after obtaining firmware version information if target information includes firmware version information, authentication arithmetic program is requested to MNO.If target information includes EID issuer mark, authentication arithmetic program addition mark is used to indicate SM-DP+ server after obtaining EID issuer mark, requests authentication arithmetic program to MNO.If target information includes platform/operating system version information, authentication arithmetic program addition mark is used to indicate SM-DP+ server after obtaining platform/operating system version information, requests authentication arithmetic program to MNO.If target information includes EID issuer mark and platform/operating system version information, then authentication arithmetic program addition mark is used to indicate SM-DP+ server after obtaining EID issuer label platform/operating system version information, requests authentication arithmetic program to MNO.If target information includes the ability information of eUICC, authentication arithmetic program addition mark is used to indicate SM-DP+ server after the ability information for obtaining eUICC, requests authentication arithmetic program to MNO.As shown in Figure 5, if target information includes firmware version information, EID issuer mark, the ability information of platform/operating system version information and eUICC, authentication arithmetic program addition mark is used to indicate SM-DP+ server after the ability information for obtaining firmware version information, EID issuer mark, platform/operating system version information and eUICC, requests authentication arithmetic program to MNO.In other words, target information may include one of EID issuer mark, platform/operating system version information, eUICC firmware version information and UICC ability information or a variety of.Authentication arithmetic program addition mark is used to indicate SM-DP+ server after obtaining all composition information in target information, requests authentication arithmetic program to MNO.

As an alternative embodiment, further including authentication arithmetic program addition mark in the second information.User obtains the activation code of MNO distribution after signing process is completed, and includes the address of authentication arithmetic program addition mark and SM-DP+ server in activation code.After user inputs activation code, LPA identifies the addition mark of authentication arithmetic program included in activation code, and authentication arithmetic program addition mark is carried in the second message for being sent to SM-DP+ server.Authentication arithmetic program addition mark is used to indicate SM-DP+ server after obtaining target information, requests authentication arithmetic program to MNO.For example, authentication arithmetic program addition mark is used to indicate SM-DP+ server after obtaining firmware version information if target information includes firmware version information, authentication arithmetic program is requested to MNO.If target information includes EID issuer mark, authentication arithmetic program addition mark is used to indicate SM-DP+ server after obtaining EID issuer mark, requests authentication arithmetic program to MNO.If target information includes platform/operating system version information, authentication arithmetic program addition mark is used to indicate SM-DP+ server after obtaining platform/operating system version information, requests authentication arithmetic program to MNO. If target information includes EID issuer mark and platform/operating system version information, then authentication arithmetic program addition mark is used to indicate SM-DP+ server after obtaining EID issuer mark and platform/operating system version information, requests authentication arithmetic program to MNO.If target information includes the ability information of eUICC, authentication arithmetic program addition mark is used to indicate SM-DP+ server after the ability information for obtaining eUICC, requests authentication arithmetic program to MNO.As shown in Figure 5, if target information includes firmware version information, EID issuer mark, the ability information of platform/operating system version information and eUICC, authentication arithmetic program addition mark is used to indicate SM-DP+ server after obtaining firmware version information, EID issuer mark and platform/operating system version information, requests authentication arithmetic program to MNO.In this scheme, MNO server may carry authentication arithmetic program addition mark not in first message.After user terminal and MNO server complete signing process, user terminal receives the activation code of MNO server transmission, contain authentication arithmetic program addition mark in activation code, after user terminal LPA receives the operation that user identifies activation code, the authentication arithmetic program addition mark in activation code is included in the second information and sends a SM-DP+ server.In other words, target information may include one of EID issuer mark, platform/operating system version information, eUICC firmware version information and UICC ability information or a variety of.Authentication arithmetic program addition mark is used to indicate SM-DP+ server after obtaining all composition information in target information, requests authentication arithmetic program to MNO.

As a kind of optional embodiment, it may each comprise authentication arithmetic program addition mark in the first information and the second information, or only including in an information in the first information and the second information includes authentication arithmetic program addition mark, the embodiment of the present invention is without limitation.

As an alternative embodiment, binding configuration file packet includes initial safe channel information, storage metadata, authentication arithmetic program and configuration file, there are within configuration file for authentication arithmetic program.Fig. 6 is the procedure chart that LPA sends binding configuration file packet to eUICC, as shown in fig. 6, the specific embodiment that LPA sends binding configuration file packet to eUICC may comprise steps of: LPA sends initial safe channel information to eUICC；LPA sends storage metadata to eUICC；LPA sends configuration file to eUICC.Correspondingly, the specific embodiment that eUICC receives binding configuration file packet may comprise steps of: eUICC receives the initial safe channel information that LPA is sent；EUICC receives the storage metadata that LPA is sent；EUICC receives the configuration file that LPA is sent.

Specifically, after eUICC receives the configuration file containing authentication arithmetic program, according to authentication arithmetic program included in (profile element) format of configuration file element defined in subscriber identification card alliance (simalliance) parsing configuration file, and the authentication arithmetic program parsed is added or is installed in eUICC.Specifically, in the addition of authentication arithmetic program or the authentication arithmetic collection of programs being mounted in telecommunication frame.The addition or installation of authentication arithmetic program are likely to occur in front of the installation of other configurations document element of configuration file, or after the installation of other configurations document element, it can also be carried out in the installation of all configuration file elements, the embodiment of the present invention is without limitation.

It is downloaded to eUICC in configuration file by depositing in authentication arithmetic program, may be implemented that just the authentication arithmetic program that eUICC lacks is downloaded in eUICC during download configuration file.After activation profiles, so that it may directly carry out identity legitimacy verifying to eUICC using authentication arithmetic program.Therefore, it is downloaded to eUICC in configuration file by depositing in authentication arithmetic program, authentication arithmetic program can be downloaded to eUICC more in time.

As an alternative embodiment, binding configuration file packet includes initial safe channel information, storage metadata, authentication arithmetic program and configuration file, authentication arithmetic program is there are except configuration file, i.e., authentication arithmetic program is not in configuration file.Fig. 7 is the procedure chart that LPA sends binding configuration file packet to eUICC, as shown in fig. 7, the specific embodiment that LPA sends binding configuration file packet to eUICC may comprise steps of: LPA sends initial safe channel information to eUICC； LPA sends storage metadata to eUICC；LPA sends authentication arithmetic program to eUICC；LPA sends configuration file to eUICC.

Correspondingly, the specific embodiment that eUICC receives binding configuration file packet may comprise steps of: eUICC receives the initial safe channel information that LPA is sent；EUICC receives the storage metadata that LPA is sent；EUICC receives the authentication arithmetic program that LPA is sent；EUICC receives the configuration file that LPA is sent.

Optionally, eUICC can first receive the configuration file of LPA transmission after the storage metadata for receiving LPA transmission.After eUICC completes the installation operation of configuration file, the message for being used to indicate configuration file and being installed is sent to LPA.After eUICC is used to indicate the message that configuration file is installed to LPA transmission, eUICC can receive the authentication arithmetic program that LPA is sent.Correspondingly, LPA can first send configuration file to eUICC after sending storage metadata to eUICC.After LPA is used to indicate the message that configuration file is installed receive that eUICC sends, authentication arithmetic program is sent to eUICC.Optionally, if LPA sends authentication arithmetic program after sending configuration file prompts the user whether the configuration file of downloading to be activated after what LPA reception eUICC was sent is used to indicate the message that the addition of authentication arithmetic program is completed to eUICC.After the confirmation operation for receiving user, activation profiles order is sent to eUICC, which specifies eUICC to activate the configuration file.

Optionally, eUICC can first receive the authentication arithmetic program of LPA transmission after the storage metadata for receiving LPA transmission.After eUICC completes the addition operation of authentication arithmetic program, is sent to LPA and be used to indicate the message that the addition of authentication arithmetic program is completed.EUICC is sent to LPA to be used to indicate after the message that the addition of authentication arithmetic program is completed, and eUICC can receive the configuration file that LPA is sent.Correspondingly, LPA can first send authentication arithmetic program to eUICC after sending storage metadata to eUICC.After LPA is used to indicate the message that the addition of authentication arithmetic program is completed receive that eUICC sends, configuration file is sent to eUICC.

As soon as being downloaded to eUICC by depositing in authentication arithmetic program and configuration file in binding configuration file packet, may be implemented that the authentication arithmetic program that eUICC lacks is downloaded in eUICC during download configuration file.After activation profiles, so that it may directly carry out identity legitimacy verifying to eUICC using authentication arithmetic program.Therefore, it is downloaded to eUICC by depositing in authentication arithmetic program and configuration file in one binding configuration file packet, authentication arithmetic program can be downloaded to eUICC more in time.

As an alternative embodiment, as shown in Figure 8 and Figure 9, after eUICC receives the authentication arithmetic program that LPA is sent and configuration file, configuration file can be also installed in eUICC by eUICC.Authentication arithmetic program in configuration file is added in eUICC by eUICC, and after configuration file is installed in eUICC, also can receive the activation profiles order that LPA is sent, which specifies eUICC activation profiles；EUICC determines corresponding authentication arithmetic program according to the mark of the authentication arithmetic program in configuration file；The network insertion application parameter of eUICC configuration file configures authentication arithmetic program.EUI CC authentication arithmetic program and network carry out bi-directional authentification.

Optionally, the mark for the configuration file in binding configuration file packet downloaded before including in the activation profiles order.EUICC reads the mark of the authentication arithmetic program in configuration file to determine corresponding authentication arithmetic program.Authentication arithmetic program identification can store the file system portion in configuration file.Authentication arithmetic program for it before download binding configuration file packet included in authentication arithmetic program.EUICC obtains the authentication arithmetic program in binding configuration file packet, and installs or be added to the authentication arithmetic in telecommunication frame for authentication arithmetic program and realize in data acquisition system.Can there are more set authentication arithmetic programs, the corresponding unique authentication arithmetic program identification of every set authentication arithmetic program in eUICC.Therefore, the authentication arithmetic program added before eUICC is determined according to the authentication arithmetic program identification in configuration file.EUICC determine authentication arithmetic program it Afterwards, the network insertion application parameter of eUICC configuration file configures authentication arithmetic program.After the completion of network application parameter configuration, eUICC carries out bi-directional authentification using authentication arithmetic program and network.After authenticating successfully, the affiliated terminal of eUICC can access network.Here network can be the mobility management entity (Mobility Management Entity) of network side, be also possible to Authentication Center.

By implementing the embodiment, after activation profiles, the authentication arithmetic program in configuration file just can be used directly, identity legitimacy verifying is carried out to eUICC, or is downloaded to the authentication arithmetic program of eUICC to network entity progress identity legitimacy verifying using same binding configuration file packet is in configuration file.

As an alternative embodiment, as shown in Figure 8 and Figure 9, if eUICC deletes configuration file, eUICC deletes authentication arithmetic program corresponding with configuration file.Authentication arithmetic program corresponding with configuration file is that the authentication arithmetic program of same binding configuration file packet is in configuration file.Authentication arithmetic program corresponding with configuration file is for carrying out identity legitimacy verifying to eUICC after installation and activation profiles.If the privately owned authentication arithmetic that authentication arithmetic program is some operator is realized, if the configuration file of corresponding authentication arithmetic program is deleted, the chance that the corresponding authentication arithmetic program of configuration file is not called temporarily.If therefore eUICC deletes configuration file, eUICC deletes authentication arithmetic program corresponding with configuration file, is conducive to save memory space.Specifically, eUICC can establish the mapping relations between the authentication arithmetic program and the configuration file in the authentication arithmetic program and configuration file of judgement addition or installation in a binding configuration file Bao Zhonghou.After eUICC judges that the configuration file is deleted, corresponding authentication arithmetic program can be deleted according to the mapping relations established before.

As an alternative embodiment, authentication arithmetic program is in except configuration file, LPA can receive the 5th information that SM-DP+ server is sent；Correspondingly, in Fig. 7, LPA sends the specific embodiment of authentication arithmetic program to eUICC are as follows: LPA sends eUICC for the authentication arithmetic program in binding configuration file packet according to the 5th information；After LPA sends eUICC for the authentication arithmetic program in binding configuration file packet according to the 5th information, LPA also can receive the message for being used to indicate the addition of authentication arithmetic program and completing that eUICC is sent；What LPA reception eUICC was sent is used to indicate after the message that the addition of authentication arithmetic program is completed, and the configuration file in binding configuration file packet is sent to eUICC by LPA.Optionally, LPA can first send the configuration file in binding configuration file packet to eUICC；LPA receive eUICC transmission be used to indicate the message that configuration file is installed after, the authentication arithmetic program in binding configuration file packet is sent to by eUICC according to the 5th information.

By implementing the embodiment, LPA accurately can determine authentication arithmetic program from binding configuration file packet according to the 5th information.

Optionally, authentication arithmetic program can be sent to eUICC by the ES10d interface between the LPA services in the ISD-R of LPADd and eUICC by LPA.The message for being used to indicate the addition of authentication arithmetic program and completing or being installed that LPA is sent by ES10d interface eUICC.Being used to indicate the message that the addition of authentication arithmetic program is completed can be carried with Application Protocol Data Unit (response APDU) order is replied.LPA receive eUICC transmission be used to indicate authentication arithmetic program addition complete message after, the configuration file in the binding configuration file packet is sent to eUICC by the ES10b interface between LPDd and LPA services by LPA.

Optionally, the authentication arithmetic program that eUICC can be sent by the ES10d interface between LPADd in the LPA services and LPA in ISD-R to LPA.EUICC is after the addition or installation for completing authentication arithmetic program, the message for being used to indicate the addition of authentication arithmetic program and completing or being installed is sent to LPA by ES10b interface, this is used to indicate the message that the addition of authentication arithmetic program is completed and can be carried with Application Protocol Data Unit (response APDU) order is replied.In After eUICC is used to indicate the message that the addition of authentication arithmetic program is completed to LPA transmission, the configuration file in the binding configuration file packet that LPA passes through the ES10b interface transmission between LPDd and LPA services is received.

As an alternative embodiment, the 5th information can be the label information of the encryption segment data of binding configuration file packet.Wherein, the encryption segment data of binding configuration file packet is the authentication arithmetic program and configuration file in binding configuration file packet.For example, the process that LPA sends binding configuration file packet to eUICC can be as shown in Figure 10 when the label information for the encryption segment data that the 5th information is binding configuration file packet.

Specifically, data structure of the authentication arithmetic program in binding configuration file packet uses TLV format (format sample is as shown in table 2).Binding configuration file packet can reserve one (such as ' A4 ' in table) or multiple labels are used to indicate newly-increased authentication arithmetic program.For example, ' A4 ' indicates a kind of authentication arithmetic program in table 2.LPA can identify authentication arithmetic program part according to the label in identification binding configuration file packet segment data.

Table 2

By implementing the embodiment, LPA accurately can determine authentication arithmetic program from binding configuration file packet according to the label information of encryption segment data.

As an alternative embodiment, the 5th information is exemplary and weighs the length information of algorithm routine.By implementing the embodiment, LPA accurately can determine authentication arithmetic program from binding configuration file packet according to the length information of authentication arithmetic program.

As an alternative embodiment, the length information of authentication arithmetic program may include in the storage metadata of binding configuration file packet.As shown in figure 11, MNO is in addition to sending authentication arithmetic program to SM-DP+ server, the length information of the mark of also transmissible authentication arithmetic program and authentication arithmetic program to SM-DP+ server.SM-DP+ server receives after the mark of authentication arithmetic program that MNO is sent and the length information of authentication arithmetic program, the length information of the mark of authentication arithmetic program and authentication arithmetic program can also be included in the storage metadata of binding configuration file packet, so that the length information of the mark of authentication arithmetic program and authentication arithmetic program is sent to LPA and eUICC.

By implementing the embodiment, the length information of authentication arithmetic program can be informed LPA.LPA that authentication arithmetic program part is accurately sent to eUICC first to be added or install, after having ensured that configuration file is installed and activated, is able to use addition before or the authentication arithmetic program installed to be successfully accessed network.

Correspondingly, LPA is received after the storage metadata of binding configuration file packet, the length information of authentication arithmetic program is obtained from storage metadata, and according to the length information of authentication arithmetic program, authentication arithmetic program is determined from binding configuration file packet, and determining authentication arithmetic program is sent in eUICC.Optionally, after eUICC receives the storage metadata that LPA is sent, eUICC obtains the mark of authentication arithmetic program from storage metadata, and the mark of authentication arithmetic program is added in eUICC.

As an alternative embodiment, as shown in figure 12, SM-DP+ server, MNO, LPA and eUICC can also carry out following steps: MNO sends the mark of authentication arithmetic program and the length information of authentication arithmetic program to SM-DP+ server；SM-DP+ server receive MNO send authentication arithmetic program mark and authentication arithmetic program length information and After authentication arithmetic program, the mark of the first authentication arithmetic program of SM-DP+ server and the length information of the first authentication arithmetic program generate the first digital signature；SM-DP+ server sends the 4th information to LPA, and the 4th information includes the mark of authentication arithmetic program, the length information of authentication arithmetic program and the first digital signature；LPA sends the 4th information to eUICC；After eUICC receives the 4th information that LPA is sent, the first digital signature is verified using the length information of the mark of authentication arithmetic program, authentication arithmetic program；If eUICC passes through the first digital signature authentication, eUICC generates the second digital signature with the first digital signature；EUICC sends the second digital signature to SM-DP+ server by LPA；After SM-DP+ server receives the second digital signature that eUICC is sent by LPA, SM-DP+ server verifies the second digital signature；If SM-DP+ server passes through the second digital signature authentication, executes SM-DP+ server and generate the binding configuration file packet for including the steps that authentication arithmetic program.That is, the length information of authentication arithmetic program, which also may not include, is sent to LPA in the storage metadata of binding configuration file packet by implementing the embodiment.

By implementing the embodiment, the identity legitimacy of SM-DP+ server and eUICC can be verified, while also the length information of authentication arithmetic program can be informed LPA.LPA that authentication arithmetic program part is accurately sent to eUICC first to be added or install, after having ensured that configuration file is installed and activated, is able to use addition before or the authentication arithmetic program installed to be successfully accessed network.

Correspondingly, after LPA receives binding configuration file packet, the length information of authentication arithmetic program, determines authentication arithmetic program, and determining authentication arithmetic program is sent in eUICC from binding configuration file packet based on the received.Optionally, after eUICC receives the authentication arithmetic program that LPA is sent, the mark of authentication arithmetic program and authentication arithmetic program is added in eUICC.

As a kind of optional embodiment, it include the remote operation type identification that value binds patch and configuration file type for installation in the initial safe channel information of binding configuration file packet, it includes authentication arithmetic program and configuration file in binding configuration file packet that installation binding patch and configuration file type, which are used to indicate,.Specifically, eUICC can be the remote operation type identification of installation binding patch and configuration file type by analytic value, know to include authentication arithmetic program and configuration file in binding configuration file packet.EUICC can first carry out the addition or installation of authentication arithmetic program after obtaining all authentication arithmetic programs, and will add successful result message or install successfully results messages and be sent to LPA, to obtain configuration file from LPA.EUICC installs configuration file.Optionally, installation binding patch and configuration file type may be used to indicate that the security level of authentication arithmetic program and configuration file.After eUICC receives the initial safe channel information that LPA is sent, the remote operation type identification that the value for including in initial safe channel information is installation binding patch and configuration file type is verified.If to verify the remote operation type identification be the type that one of them is defined, eUICC security level corresponding to the remote operation type handles authentication arithmetic program and configuration file in binding configuration file packet respectively.For example, value is the remote operation type identification expression configuration file of installation binding patch and configuration file type and the security level of authentication arithmetic program is integrity protection and encipherment protection.

As a kind of optional embodiment, as shown in figure 13, authentication arithmetic program is in except configuration file, and during SM-DP+ server generates binding configuration file packet, SM-DP+ server encrypts authentication arithmetic program and configuration file by session key.Correspondingly, after eUICC receives the authentication arithmetic program that LPA is sent, eUICC is decrypted authentication arithmetic program by session key；Optionally, after authentication arithmetic program is added to the operation of eUICC by eUICC completion, authentication arithmetic program, which is sent, to LPA adds success message, authentication arithmetic program addition success message can be carried with Application Protocol Data Unit (response APDU) order is replied, and authentication arithmetic program addition success message is used to indicate LPA and sends eUICC for the configuration file part in binding configuration file packet；After eUICC receives the configuration file that LPA is sent, EUICC is decrypted configuration file by session key.

EUICC can also first receive the configuration file of LPA transmission, and eUICC is decrypted configuration file by session key, and installs configuration file；Optionally, after eUICC completes the installation operation of configuration file, configuration file is sent to LPA, and success message is installed, configuration file installation success message can be carried with Application Protocol Data Unit (response APDU) order is replied, and configuration file installation success message is used to indicate LPA and the authentication arithmetic program in binding configuration file packet is sent to eUICC；EUICC receives the authentication arithmetic program that LPA is sent, and eUICC is decrypted authentication arithmetic program by session key.After the completion of decryption, authentication arithmetic program is added in eUICC by eUICC.In other words, eUICC can first receive the authentication arithmetic program of LPA transmission, the rear configuration file for receiving LPA and sending.EUICC can also first receive the configuration file of LPA transmission, the rear authentication arithmetic program for receiving LPA and sending.The embodiment of the present invention is without limitation.

Authentication arithmetic program is encrypted by using session key, the safety of data transmission can be improved.

Optionally, the structural schematic diagram for the binding configuration file packet that SM-DP+ server generates can be as shown in figure 14.As shown in figure 14, binding configuration file packet may include initial safe channel information, issuer security domain-configuration file (Configure ISDP), storage metadata, authentication arithmetic program and configuration file part.Optionally, configuration file can also be before authentication arithmetic program.

Optionally, when SM-DP+ server generates binding configuration file packet, issuer security domain-configuration file in SM-DP+ server available sessions key crypto-binding configuration file packet, authentication arithmetic program and configuration file；EUICC is received after initial safe channel information, the public key for the one time key centering that SM-DP+ server generates is obtained from initial safe channel information, and session key is generated by the private key of digital certificate and eUICC the one time key centering generated, and issuer security domain-configuration file, authentication arithmetic program and the configuration file received from LPA is decrypted by session key.

As a kind of optional embodiment; as shown in figure 15; authentication arithmetic program is in except configuration file; binding configuration file packet further includes protection key; during SM-DP+ server generates binding configuration file packet; SM-DP+ server is encrypted by protection key pair authentication arithmetic program and configuration file, and protection key is encrypted by session key；Correspondingly, before eUICC receives the authentication arithmetic program that LPA is sent, eUICC can receive the protection key that LPA is sent, and protection key is decrypted by session key；Optionally, after eUICC completes the addition or installation operation of authentication arithmetic program, authentication arithmetic program, which is sent, to LPA adds success message, authentication arithmetic program addition success message can be carried with Application Protocol Data Unit (response APDU) order is replied, and authentication arithmetic program addition success message is used to indicate LPA and sends eUICC for the configuration file part in binding configuration file packet；It, can also be by protecting key pair authentication arithmetic program to be decrypted after eUICC receives the authentication arithmetic program that LPA is sent；It, can also be by protecting key pair configuration file to be decrypted after eUICC receives the configuration file that LPA is sent.

EUICC can also first receive the configuration file of LPA transmission, and eUICC installs configuration file by protecting key pair configuration file to be decrypted；Optionally, after eUICC completes the installation operation of configuration file, configuration file is sent to LPA, and success message is installed, configuration file installation success message can be carried with Application Protocol Data Unit (response APDU) order is replied, and configuration file installation success message is used to indicate LPA and the authentication arithmetic program in binding configuration file packet is sent to eUICC；EUICC receives the authentication arithmetic program that LPA is sent, and eUICC is by protecting key pair authentication arithmetic program to be decrypted.After the completion of decryption, authentication arithmetic program is added in eUICC by eUICC.In other words, eUICC can first receive the authentication arithmetic program of LPA transmission, the rear configuration file for receiving LPA and sending.EUICC can also first receive the configuration file of LPA transmission, the rear authentication arithmetic program for receiving LPA and sending.The embodiment of the present invention is without limitation.

Optionally, the structural schematic diagram for the binding configuration file packet that SM-DP+ server generates can be as shown in figure 16.As shown in figure 16, binding configuration file packet may include initial safe channel information, issuer security domain-configuration file, storage metadata, protection key, authentication arithmetic program and configuration file.Optionally, configuration file can also be before authentication arithmetic program.

Optionally; during SM-DP+ server generates binding configuration file packet; SM-DP+ server can use protection key encrypted authentication algorithm routine and configuration file, then with configuration issuer security domain-configuration file in session key crypto-binding configuration file packet and protect key.EUICC is received after initial safe channel information; the public key for the one time key centering that SM-DP+ server generates is obtained from initial safe channel information; and session key is generated by the private key of digital certificate and eUICC the one time key centering generated, the configuration issuer security domain-configuration file received from LPA and protection key are decrypted by session key；After eUICC solves privacy protection key, the authentication arithmetic program received and configuration file are decrypted by protection key.

It is encrypted by using protection key pair authentication arithmetic program, the safety of data transmission can be improved.

As a kind of optional embodiment; authentication arithmetic program is in except configuration file; binding configuration file packet further includes the first protection key and the second protection key; during SM-DP+ server generates binding configuration file packet; SM-DP+ server passes through the first protection key pair authentication arithmetic program; and encrypted by the second protection key pair configuration file, the first protection key and the second protection key are encrypted by session key.Correspondingly, before eUICC receives the authentication arithmetic program that LPA is sent, it also can receive the first protection key that LPA is sent, and the first protection key is decrypted by session key；After eUICC receives the authentication arithmetic program that LPA is sent, it can also be decrypted by the first protection key pair authentication arithmetic program；Optionally, after authentication arithmetic program is added to the operation of eUICC by eUICC completion, authentication arithmetic program, which is sent, to LPA adds success message, authentication arithmetic program addition success message can be carried with Application Protocol Data Unit (response APDU) order is replied, and authentication arithmetic program addition success message is used to indicate LPA and sends eUICC for the configuration file part in binding configuration file packet；Before eUICC receives the configuration file that LPA is sent, the second protection key that LPA is sent also can receive, and the second protection key is decrypted by session key；After eUICC receives the configuration file that LPA is sent, it can also be decrypted by the second protection key pair configuration file.EUICC can also first receive configuration file, and the by receiving before receiving configuration file second protection key pair configuration file is decrypted；After receiving configuration file, the first protection key and authentication arithmetic program are successively received, and be decrypted by the first protection key pair authentication arithmetic program.

Specifically, the second protection key can be configuration file protection key.When SM-DP+ server gets out configuration file, a configuration file protection key can be generated immediately, and with configuration file protection key come encryption configuration file.First protection key can be authentication arithmetic programmed protection key.Authentication arithmetic program can be encrypted after SM-DP+ server obtains the authentication arithmetic program corresponding to eUICC with authentication arithmetic programmed protection key pair authentication arithmetic program.First protection key is also possible to the second protection key.For example, also being well prepared for corresponding authentication arithmetic program, and encrypted with protection key pair authentication arithmetic program and configuration file when SM-DP+ server gets out configuration file.In such cases, protection key only can be sent to eUICC by LPA before sending configuration file, only can also be sent to eUICC by LPA before sending authentication arithmetic program.The embodiment of the present invention is not specifically limited.

As an alternative embodiment, as shown in figure 17, authentication arithmetic program is in except configuration file, binding configuration file packet further includes protection key；During SM-DP+ server generates binding configuration file packet, SM-DP+ server encrypts authentication arithmetic program by session key, and by protecting key pair configuration file to be encrypted.Correspondingly, before eUICC receives the configuration file that LPA is sent, it also can receive the protection key that LPA is sent, and pass through session key pair Protection key is decrypted；After eUICC receives the authentication arithmetic program that LPA is sent, authentication arithmetic program can be decrypted by session key；Optionally, after eUICC completes the addition or installation operation of authentication arithmetic program, authentication arithmetic program, which is sent, to LPA adds success message, authentication arithmetic program addition success message can be carried with Application Protocol Data Unit (response APDU) order is replied, and authentication arithmetic program addition success message is used to indicate LPA and sends eUICC for the configuration file part in binding configuration file packet；It, can be by protecting key pair configuration file to be decrypted after eUICC receives the configuration file that LPA is sent.

EUICC can also first receive the configuration file of LPA transmission, and eUICC installs configuration file by protecting key pair configuration file to be decrypted；Optionally, after eUICC completes the installation operation of configuration file, configuration file is sent to LPA, and success message is installed, configuration file installation success message can be carried with Application Protocol Data Unit (response APDU) order is replied, and configuration file installation success message is used to indicate LPA and the authentication arithmetic program in binding configuration file packet is sent to eUICC；EUICC receives the authentication arithmetic program that LPA is sent, and eUICC is decrypted authentication arithmetic program by session key.After the completion of decryption, authentication arithmetic program is added in eUICC by eUICC.In other words, eUICC can first receive the authentication arithmetic program of LPA transmission, the rear configuration file for receiving LPA and sending.EUICC can also first receive the configuration file of LPA transmission, the rear authentication arithmetic program for receiving LPA and sending.EUICC can receive the protection key that LPA is sent after the authentication arithmetic program for receiving LPA transmission.After receiving protection key, the configuration file that LPA is sent is received.EUICC can also receive the configuration file that LPA is sent after receiving the protection key that LPA is sent.After receiving configuration file, the authentication arithmetic program that LPA is sent is received.EUICC can also receive the authentication arithmetic program that LPA is sent after receiving the protection key that LPA is sent.After receiving authentication arithmetic program, the configuration file that LPA is sent is received.The embodiment of the present invention is without limitation.

As an alternative embodiment, authentication arithmetic program is in except configuration file, binding configuration file packet further includes protection key, and protection key is encrypted by session key；During SM-DP+ server generates binding configuration file packet, SM-DP+ server encrypts authentication arithmetic program by protection key encryption, and is encrypted by session key to configuration file.Correspondingly, after eUICC receives the configuration file that LPA is sent, it also can receive the protection key that LPA is sent, and protection key is decrypted by session key；It, can also be by protecting key pair authentication arithmetic program to be decrypted after eUICC receives the authentication arithmetic program that LPA is sent；EUICC can also first receive the protection key of LPA transmission, and protection key is decrypted by session key.After the completion of decryption, eUICC receives the authentication arithmetic program that LPA is sent, and authentication arithmetic program is added in eUICC；Optionally, after authentication arithmetic program is added to the operation of eUICC by eUICC completion, authentication arithmetic program, which is sent, to LPA adds success message, configuration file installation success message can be carried with Application Protocol Data Unit (response APDU) order is replied, and authentication arithmetic program addition success message is used to indicate LPA and the configuration file in binding configuration file packet is sent to eUICC；EUICC receives the configuration file that LPA is sent, and eUICC is decrypted configuration file by session key.After the completion of decryption, eUICC installs configuration file.In other words, eUICC can first receive the protection key of LPA transmission, receive the authentication arithmetic program that LPA is sent later, finally, receiving the configuration file that LPA is sent.EUICC can also first receive the configuration file of LPA transmission, receive the protection key that LPA is sent later, finally, receiving the authentication arithmetic program that LPA is sent.

Optionally, the structural schematic diagram for the binding configuration file packet that SM-DP+ server generates can be as shown in fig. 16 and 18.As shown in fig. 16 and 18, binding configuration file packet may include initial safe channel information, configuration issuer security domain-configuration file, storage metadata, protection key, authentication arithmetic program and configuration file.It protects key to be present in front of authentication arithmetic program in Figure 16, protects key to be present in after authentication arithmetic program in Figure 18.That is, in the embodiment party In formula, LPA can first send protection key to eUICC, and authentication arithmetic program can first be sent to eUICC by retransmiting authentication arithmetic program to eUICC or LPA, retransmit protection key to eUICC.

Optionally, SM-DP+ server can use protection key encryption configuration file, then protect key and authentication arithmetic program with the configuration issuer security domain in session key crypto-binding configuration file packet-configuration file.EUICC is received after initial safe channel information; the public key for the one time key centering that SM-DP+ server generates is obtained from initial safe channel information; and session key is generated by the private key of digital certificate and eUICC the one time key centering generated, and the configuration issuer security domain-configuration file received from LPA, protection key and authentication arithmetic program are decrypted by session key；After eUICC solves privacy protection key, the configuration file received is decrypted by protection key.

Authentication arithmetic program is encrypted by session key, and by protecting key pair configuration file to be encrypted, the safety of data transmission can be improved.

As an alternative embodiment, authentication arithmetic program is the public key encryption of MNO eUICC, i.e. the authentication arithmetic program itself that receives of SM-DP+ server is by the public key encryption of MNO eUICC.Therefore, SM-DP+ server can no longer encrypt authentication arithmetic program, directly will be sent to eUICC by LPA by the authentication arithmetic program of the public key encryption of eUICC；EUICC is received by after the authentication arithmetic program of the public key encryption of eUICC, and authentication arithmetic program is decrypted using the private key of eUICC.Optionally; authentication arithmetic program itself by the MNO public key encryption of eUICC in the case where; for the safety for improving data; SM-DP+ server can also encrypt again authentication arithmetic program, and SM-DP+ server can be encrypted by protection key or session key to by the authentication arithmetic program of the public key encryption of eUICC.Such as; SM-DP+ server is encrypted by protection key pair by the authentication arithmetic program of the public key encryption of eUICC; correspondingly; eUICC is received after authentication arithmetic program; it is first decrypted using protection key pair authentication arithmetic program, authentication arithmetic program is decrypted in the private key for reusing eUICC.For another example, SM-DP+ server is encrypted by session key to by the authentication arithmetic program of the public key encryption of eUICC, correspondingly, eUICC is received after authentication arithmetic program, first authentication arithmetic program is decrypted using session key, authentication arithmetic program is decrypted in the private key for reusing eUICC.

By the public key encryption authentication arithmetic program of eUICC, the safety of data transmission can be improved.

As a kind of optional embodiment, before MNO is using the public key encryption authentication arithmetic program of eUICC, can also carry out following steps: MNO obtains the certificate (CERT.EUICC.ECDSA) of the eUICC of all card vendors' offers when arranging to generate constraint condition (such as EID issuer mark, platform/operating system version information, eUICC firmware version information and UICC ability information etc.) of authentication arithmetic program with card vendor from card vendor.The certificate of the eUICC includes the public key of eUICC.MNO can match the authentication arithmetic program of corresponding version after generating authentication arithmetic program according to the EID information in eUICC certificate.Matched method can be according to the EID issuer mark in EID information the authentication arithmetic program for finding corresponding version.Matched method is also possible to find the authentication arithmetic program of corresponding version according to platform/operating system version information in EID.Matched method be also possible to according in EID EID issuer mark and platform/operating system version information find the authentication arithmetic program of corresponding version.Matched method can be according to the ability information of the firmware version information of EID issuer mark, platform/operating system version information and eUICC in above-mentioned EID or UICC the authentication arithmetic program for finding corresponding version.The firmware version information of the eUICC and the ability information of UICC can be when MNO and card vendor arrange to generate the constraint condition of authentication arithmetic program, be provided by card vendor.In other words, MNO is after generating authentication arithmetic program, can be according to one of EID issuer mark, platform/operating system version information, eUICC firmware version information and UICC ability information or a variety of, to find corresponding authentication arithmetic program.

Optionally, session key and protection key all include encryption key and Integrity Key.Encryption key is for encrypting And decryption message, Integrity Key is for generating integrity verification field and verifying integrity verification field.

Two or more functions can also be integrated in one unit SM-DP+ server, LPA and the eUICC division for carrying out functional unit for example, each functional unit of each function division can be corresponded to according to above method example by the embodiment of the present invention.Above-mentioned integrated unit both can take the form of hardware realization, can also realize in the form of software functional units.It should be noted that being schematically that only a kind of logical function partition, there may be another division manner in actual implementation to the division of unit in the embodiment of the present invention.

9, Figure 19 shows a kind of structural schematic diagram of SM-DP+ server provided in an embodiment of the present invention referring to Figure 1.As shown in figure 19, which includes communication module 1901 and processing module 1902.Wherein:

Communication module 1901, for receiving the authentication arithmetic program of Mobile Network Operator MNO transmission, authentication arithmetic program is corresponding with target information, and target information is at least one of universal embedded Integrated Circuit Card Identity EID issuer mark, platform/operating system version information of eUICC and the ability information of eUICC of the firmware version information of universal embedded integrated circuit card eUICC, eUICC.Processing module 1902, for generating the binding configuration file packet including authentication arithmetic program.Communication module 1901 is also used to send binding configuration file packet into eUICC by local profile assistant LPA.

Optionally, authentication arithmetic program is for being added in the authentication arithmetic collection of programs of eUICC.Optionally, authentication arithmetic collection of programs can be in the telecommunication frame of eUICC.

As a kind of optional embodiment, target information includes the firmware version information of eUICC, the EID issuer mark of eUICC and platform/operating system version information of eUICC, communication module 1901, it is also used to before receiving the authentication arithmetic program that Mobile Network Operator MNO is sent, the first information that MNO is sent is received, the first information includes EID information.Communication module 1901 is also used to receive the second information of LPA transmission, and the second information includes eUICC information.Processing module 1902 is also used to obtain firmware version information from eUICC message.Processing module 1902 is also used to obtain EID issuer mark and platform/operating system version information from EID message.Communication module 1901, is also used to send third information to MNO, and third information includes firmware version information, EID issuer mark and platform/operating system version information.

As an alternative embodiment, target information further includes the ability information of eUICC, processing module 1902 is also used to obtain the ability information of eUICC from eUICC message.Wherein, third information further includes the ability information of eUICC.

As a kind of optional embodiment, it further include authentication arithmetic program addition mark in the first information, authentication arithmetic program addition mark is used to indicate SM-DP+ server after obtaining firmware version information, EID issuer mark and platform/operating system version information, requests authentication arithmetic program to MNO.

As a kind of optional embodiment, it further include authentication arithmetic program addition mark in second information, authentication arithmetic program addition mark is used to indicate SM-DP+ server after obtaining firmware version information, EID issuer mark and platform/operating system version information, requests authentication arithmetic program to MNO.

As an alternative embodiment, third information is processing downloading process information.

As an alternative embodiment, communication module 1901, is also used to receive the mark of the authentication arithmetic program of MNO transmission and the length information of authentication arithmetic program.Processing module 1902 is also used to after the authentication arithmetic program that communication module 1901 receives that MNO is sent, and generates the first digital signature with the mark of the first authentication arithmetic program and the length information of the first authentication arithmetic program.Communication module 1901 is also used to send the 4th information to eUICC by LPA, and the 4th information includes the mark of authentication arithmetic program, the length information of authentication arithmetic program and the first digital signature.Communication module 1901 is also used to receive the second digital signature that eUICC is sent by LPA.Processing module 1902 is also used to verify the second digital signature. If processing module 1902 passes through the second digital signature authentication, triggers processing module 1902 and generate the binding configuration file packet including authentication arithmetic program.

As an alternative embodiment, communication module 1901, is also used to receive the mark of the authentication arithmetic program of MNO transmission and the length information of authentication arithmetic program.Wherein, the length information of the mark in the storage metadata of binding configuration file packet including authentication arithmetic program and authentication arithmetic program.

As a kind of optional embodiment, it include the remote operation type identification that value binds patch and configuration file type for installation in the initial safe channel information of binding configuration file packet, it includes authentication arithmetic program and configuration file in binding configuration file packet that installation binding patch and configuration file type, which are used to indicate,.

As an alternative embodiment, binding configuration file packet further includes that configuration file, authentication arithmetic program and configuration file are encrypted by session key.

As an alternative embodiment, binding configuration file packet further includes configuration file and protection key, authentication arithmetic program and configuration file pass through protection key encryption.

As an alternative embodiment, binding configuration file packet further includes configuration file and protection key, authentication arithmetic program is encrypted by session key, and configuration file passes through protection key encryption.

As an alternative embodiment, authentication arithmetic program is the public key encryption of MNO eUICC.

Based on the same inventive concept, the principle that the SM-DP+ server provided in the embodiment of the present invention solves the problems, such as is similar to embodiment of the present invention method, therefore the implementation of the SM-DP+ server may refer to the implementation of method, for succinct description, repeats no more herein.

Figure 20 is referred to, Figure 20 shows the structural schematic diagram of eUICC provided in an embodiment of the present invention a kind of.As shown in figure 20, which includes communication module 2001 and processing module 2002.Wherein:

Communication module 2001, for receiving the binding configuration file packet of local profile assistant LPA transmission, the binding configuration file packet includes initial safe channel information, storage metadata, authentication arithmetic program and configuration file, the authentication arithmetic program is corresponding with target information, which is at least one of universal embedded Integrated Circuit Card Identity EID issuer mark, platform/operating system version information of eUICC and the ability information of eUICC of the firmware version information of eUICC, eUICC.Processing module 2002, for authentication arithmetic program to be added in eUICC.

As a kind of optional embodiment, communication module 2001, it is also used to before the initial safe channel information that communication module 2001 receives that LPA is sent, the 4th information that SM-DP+ server is sent by LPA is received, the 4th information includes the mark of authentication arithmetic program, the length information of authentication arithmetic program and the first digital signature.The length information of processing module 2002, the mark, authentication arithmetic program that are also used for authentication arithmetic program verifies the first digital signature.Processing module 2002 generates the second digital signature with the first digital signature if being also used to pass through the first digital signature authentication.Communication module 2001 is also used to send the second digital signature to SM-DP+ server by LPA.

As an alternative embodiment, processing module 2002, is also used to after the authentication arithmetic program that communication module 2001 receives that LPA is sent, the mark of authentication arithmetic program is added in eUICC.

As an alternative embodiment, including the mark of authentication arithmetic program in storage metadata, processing module 2002 is also used to for the mark of authentication arithmetic program being added in eUICC.

As an alternative embodiment, including the remote operation type identification that value binds patch and configuration file type for installation in the initial safe channel information of binding configuration file packet, installation binding patch and configuration file type are used to indicate binding It include authentication arithmetic program and configuration file in configuration file packet.

As an alternative embodiment, authentication arithmetic program and configuration file are encrypted by session key, processing module 2002 is also used to after the authentication arithmetic program that communication module 2001 receives that LPA is sent, authentication arithmetic program is decrypted by session key.Processing module 2002 is also used to after the configuration file that communication module 2001 receives that LPA is sent, and eUICC is decrypted configuration file by session key.

As a kind of optional embodiment; authentication arithmetic program and configuration file pass through protection key encryption; binding configuration file packet further includes protection key; key is protected to encrypt by session key; communication module 2001; it is also used to before receiving the authentication arithmetic program that LPA is sent, receives the protection key that LPA is sent.Processing module 2002 is also used to that protection key is decrypted by session key.Processing module 2002 is also used to after the authentication arithmetic program that communication module 2001 receives that LPA is sent, by protecting key pair authentication arithmetic program to be decrypted.Processing module 2002 is also used to after the configuration file that communication module 2001 receives that LPA is sent, by protecting key pair configuration file to be decrypted.

As a kind of optional embodiment; authentication arithmetic program is encrypted by session key; configuration file passes through protection key encryption; binding configuration file packet further includes protection key; key is protected to encrypt by session key; communication module 2001 is also used to before receiving the configuration file that LPA is sent, and receives the protection key that LPA is sent.Processing module 2002 is also used to that protection key is decrypted by session key.Processing module 2002 is also used to after the authentication arithmetic program that communication module 2001 receives that LPA is sent, authentication arithmetic program is decrypted by session key.Processing module 2002 is also used to after the configuration file that communication module 2001 receives that LPA is sent, by protecting key pair configuration file to be decrypted.

As an alternative embodiment, authentication arithmetic program is the public key encryption of MNO eUICC, processing module 2002 is also used to that authentication arithmetic program is decrypted by the private key of eUICC.

As an alternative embodiment, processing module 2002 deletes authentication arithmetic program if being also used to eUICC deletes configuration file.

As an alternative embodiment, communication module 2001, is also used to after authentication arithmetic program is added in eUICC by processing module 2002, the activation profiles order that LPA is sent is received, which specifies eUICC activation profiles.Processing module 2002 is also used to determine corresponding authentication arithmetic program according to the mark of the authentication arithmetic program in configuration file.Processing module 2002 is also used to the network insertion application parameter configuration authentication arithmetic program with configuration file.Processing module 2002 is also used to carry out bi-directional authentification with the authentication arithmetic program and network

Based on the same inventive concept, the principle that the eUICC provided in the embodiment of the present invention is solved the problems, such as is similar to embodiment of the present invention method, therefore the implementation of the eUICC may refer to the implementation of method, for succinct description, repeats no more herein.

A kind of LPA that the embodiment of the present invention also provides, the LPA include communication module, in which: communication module, the 5th information sent for receiving signing management-data preparation SM-DP+ server.Communication module is also used to send universal embedded integrated circuit card eUICC for the authentication arithmetic program in binding configuration file packet according to the 5th information.Communication module is also used to receive the message for being used to indicate the addition of authentication arithmetic program and completing of eUICC transmission.Communication module is also used to the configuration file in binding configuration file packet being sent to eUICC.

As an alternative embodiment, the 5th information be authentication arithmetic program length information or the 5th information be binding configuration file packet encryption segment data label information.

As an alternative embodiment, the length information of authentication arithmetic program is included in the storage metadata of binding configuration file packet.

Based on the same inventive concept, the principle that the LPA provided in the embodiment of the present invention is solved the problems, such as is similar to embodiment of the present invention method, therefore the implementation of the LPA may refer to the implementation of method, for succinct description, repeats no more herein.

Figure 21 is referred to, Figure 21 shows a kind of structural schematic diagram of user terminal provided in an embodiment of the present invention.As shown in figure 21, which includes communication module 2101 and processing module 2102.Wherein:

Communication module 2101, the binding configuration file packet sent for receiving signing management-data preparation SM-DP+ server, binding configuration file packet includes authentication arithmetic program, authentication arithmetic program is corresponding with target information, and target information is at least one of universal embedded Integrated Circuit Card Identity EID issuer mark, platform/operating system version information of eUICC and the ability information of eUICC of the firmware version information of universal embedded integrated circuit card eUICC, eUICC；Processing module 2102, for authentication arithmetic program to be added in eUICC.

Figure 22 is referred to, Figure 22 is the alternatively possible structural schematic diagram of SM-DP+ server disclosed by the embodiments of the present invention.As shown in figure 22, which includes processor 2201, memory 2202 and communication interface 2204.Wherein, processor 2201 is connected with memory 2202, and communication interface 2204 is connected with processor 2201.Optionally, SM-DP+ server 2200 may also include bus system 2203.Processor 2201, memory 2202, communication interface 2204 are connected by bus system 2203.

Wherein, processor 2201 can be central processing unit (Central Processing Unit, CPU), general processor, coprocessor, digital signal processor (Digital Signal Processor, DSP), specific integrated circuit (Application-Specific Integrated Circuit, ASIC), field programmable gate array (Field Programmable Gate Array, FPGA) either other programmable logic device, transistor logic, hardware component or any combination thereof.The processor 2201 is also possible to realize the combination of computing function, such as combines comprising one or more microprocessors, DSP and the combination of microprocessor etc..

Wherein, bus system 2203 can be Peripheral Component Interconnect standard (Peripheral Component Interconnect, abbreviation PCI) bus or expanding the industrial standard structure (Extended Industry Standard Architecture, abbreviation EISA) bus etc..Bus system 2203 can be divided into address bus, data/address bus, control bus etc..Only to be indicated with a thick line in Figure 22, it is not intended that an only bus or a type of bus convenient for indicating.

Wherein, communication interface 2204 is for realizing the communication between other network elements (such as LPA and MNO).

Wherein, processor 2201 calls the program code stored in memory 2202, and any one or more steps performed by SM-DP+ server in above method embodiment can be performed.For example, processor 2201 calls the program code stored in memory 2202, step performed by SM-DP+ server in Fig. 3~Figure 13, Figure 15 or Figure 17 can be performed.

Based on the same inventive concept, the principle that the SM-DP+ server provided in the embodiment of the present invention solves the problems, such as is similar to embodiment of the present invention method, therefore the implementation of the SM-DP+ server may refer to the implementation of method, for succinct description, repeats no more herein.

Figure 23 is referred to, Figure 23 is the alternatively possible structural schematic diagram of eUICC disclosed by the embodiments of the present invention.As shown in figure 23, which includes processor 2301, memory 2302 and communication interface 2304.Wherein, processor 2301 is connected with memory 2302, and communication interface 2304 is connected with processor 2301.Optionally, eUICC2300 may also include bus system 2303.Processor 2301, memory 2302, communication interface 2304 are connected by bus system 2303.

Wherein, processor 2301 can be central processing unit (Central Processing Unit, CPU), general processor, coprocessor, digital signal processor (Digital Signal Processor, DSP), specific integrated circuit (Application-Specific Integrated Circuit, ASIC), field programmable gate array (Field Programmable Gate Array, FPGA) either other programmable logic device, transistor logic, hardware component or any combination thereof.The processor 2301 is also possible to realize the combination of computing function, such as combines comprising one or more microprocessors, DSP and the combination of microprocessor etc..

Wherein, bus system 2303 can be Peripheral Component Interconnect standard (Peripheral Component Interconnect, abbreviation PCI) bus or expanding the industrial standard structure (Extended Industry Standard Architecture, abbreviation EISA) bus etc..Bus system 2303 can be divided into address bus, data/address bus, control bus etc..Only to be indicated with a thick line in Figure 23, it is not intended that an only bus or a type of bus convenient for indicating.

Wherein, communication interface 2304 is for realizing the communication between other network elements (such as LPA).

Wherein, processor 2301 calls the program code stored in memory 2302, and any one or more steps performed by eUICC in above method embodiment can be performed.For example, processor 2301 calls the program code stored in memory 2302, step performed by eUICC in Fig. 3~Figure 13, Figure 15 or Figure 17 can be performed.

Based on the same inventive concept, the principle that the eUICC provided in the embodiment of the present invention is solved the problems, such as is similar to embodiment of the present invention method, therefore the implementation of the eUICC may refer to the implementation of method, for succinct description, repeats no more herein.

Figure 24 is referred to, Figure 24 is a kind of possible structural schematic diagram of LPA disclosed by the embodiments of the present invention.As shown in figure 24, which includes processor 2401, memory 2402 and communication interface 2404.Wherein, processor 2401 is connected with memory 2402, and communication interface 2404 is connected with processor 2401.Optionally, LPA2400 may also include bus system 2403.Processor 2401, memory 2402, communication interface 2404 are connected by bus system 2403.

Wherein, processor 2401 can be central processing unit (Central Processing Unit, CPU), general processor, coprocessor, digital signal processor (Digital Signal Processor, DSP), specific integrated circuit (Application-Specific Integrated Circuit, ASIC), field programmable gate array (Field Programmable Gate Array, FPGA) either other programmable logic device, transistor logic, hardware component or any combination thereof.The processor 2401 is also possible to realize the combination of computing function, such as combines comprising one or more microprocessors, DSP and the combination of microprocessor etc..

Wherein, bus system 2403 can be Peripheral Component Interconnect standard (Peripheral Component Interconnect, abbreviation PCI) bus or expanding the industrial standard structure (Extended Industry Standard Architecture, abbreviation EISA) bus etc..Bus system 2403 can be divided into address bus, data/address bus, control bus etc..Only to be indicated with a thick line in Figure 24, it is not intended that an only bus or a type of bus convenient for indicating.

Wherein, communication interface 2404 is for realizing the communication between other network elements (such as eUICC or SM-DP+ server).

Wherein, processor 2401 calls the program code stored in memory 2402, and any one or more steps performed by LPA in above method embodiment can be performed.For example, processor 2401 calls the program code stored in memory 2402, step performed by LPA in Fig. 3~Figure 13, Figure 15 or Figure 17 can be performed.

Based on the same inventive concept, the principle that the LPA provided in the embodiment of the present invention is solved the problems, such as is similar to embodiment of the present invention method, therefore the implementation of the LPA may refer to the implementation of method, for succinct description, repeats no more herein.

Figure 25 is referred to, Figure 25 is a kind of possible structural schematic diagram of user terminal disclosed by the embodiments of the present invention.As shown in figure 25, which includes LPA2501, communication module 2502 and eUICC2503, in which:

LPA2501, for receiving the binding configuration file packet of SM-DP+ server transmission, the binding configuration file packet includes authentication arithmetic program, the authentication arithmetic program is corresponding with target information, which is at least one of universal embedded Integrated Circuit Card Identity EID issuer mark, platform/operating system version information of eUICC2503 and the ability information of eUICC2503 of the firmware version information of eUICC2503, eUICC2503；

LPA2501 is also used to send authentication arithmetic program by communication module 2502 or be added in eUICC2503.

Wherein, which can be modem (Modem).

It should be noted that in the above-described embodiments, all emphasizing particularly on different fields to the description of each embodiment, the part being not described in some embodiment, reference can be made to the related descriptions of other embodiments.

The steps in the embodiment of the present invention can be sequentially adjusted, merged and deleted according to actual needs.

Module described in the embodiment of the present invention, universal integrated circuit, such as CPU (Central Processing Unit, central processing unit) can be passed through, or pass through ASIC (Application Specific Integrated Circuit, specific integrated circuit) Lai Shixian.

Finally, it should be noted that the above various embodiments is only to illustrate the technical solution of the application, rather than its limitations；Although the application is described in detail referring to foregoing embodiments, those skilled in the art should understand that: it is still possible to modify the technical solutions described in the foregoing embodiments, or equivalent substitution of some or all of the technical features；And these are modified or replaceed, the range of each embodiment technical solution of the application that it does not separate the essence of the corresponding technical solution.

Claims (66)

1. A kind of adding method of authentication arithmetic program, which is characterized in that the described method includes:

   Management-data preparation SM-DP+ server of contracting receives the authentication arithmetic program that Mobile Network Operator MNO is sent, the authentication arithmetic program is corresponding with target information, and the target information is at least one of universal embedded Integrated Circuit Card Identity EID issuer mark, platform/operating system version information of the eUICC and the ability information of the eUICC of the firmware version information of universal embedded integrated circuit card eUICC, the eUICC；

   The SM-DP+ server generates the binding configuration file packet including the authentication arithmetic program, and sends the binding configuration file packet into the eUICC by local profile assistant LPA.
2. The method according to claim 1, wherein the authentication arithmetic program is for being added in the authentication arithmetic collection of programs of the eUICC.
3. Method according to claim 1 or 2, it is characterized in that, the target information includes the firmware version information of eUICC, the EID issuer mark of the eUICC and platform/operating system version information of the eUICC, before the signing management-data preparation SM-DP+ server receives the authentication arithmetic program that Mobile Network Operator MNO is sent, the method also includes:

   The SM-DP+ server receives the first information that the MNO is sent, and the first information includes EID information；

   The SM-DP+ server receives the second information that the LPA is sent, and second information includes eUICC information；

   The SM-DP+ server obtains the firmware version information from the eUICC message；

   The SM-DP+ server obtains the EID issuer mark and the platform/operating system version information from the EID message；

   The SM-DP+ server sends third information to the MNO, and the third information includes the firmware version information, EID issuer mark and the platform/operating system version information.
4. According to the method described in claim 3, it is characterized in that, the target information further includes the ability information of the eUICC, the method also includes:

   The SM-DP+ server obtains the ability information of the eUICC from the eUICC message；

   Wherein, the third information further includes the ability information of the eUICC.
5. The method according to claim 3 or 4, it is characterized in that, it further include authentication arithmetic program addition mark in the first information, the authentication arithmetic program addition mark is used to indicate the SM-DP+ server after obtaining the firmware version information, EID issuer mark and the platform/operating system version information, and Xiang Suoshu MNO requests the authentication arithmetic program.
6. According to method described in claim 3~5 any one, it is characterized in that, it further include authentication arithmetic program addition mark in second information, the authentication arithmetic program addition mark is used to indicate the SM-DP+ server after obtaining the firmware version information, EID issuer mark and the platform/operating system version information, Xiang Suoshu MNO Request the authentication arithmetic program.
7. According to method described in claim 3~6 any one, which is characterized in that the third information is processing downloading process information.
8. Method described in any one according to claim 1~7, which is characterized in that the method also includes:

   The SM-DP+ server receives the mark for the authentication arithmetic program that the MNO is sent and the length information of the authentication arithmetic program；

   After the SM-DP+ server receives the authentication arithmetic program that the MNO is sent, the method also includes:

   The mark of the SM-DP+ server authentication arithmetic program and the length information of the authentication arithmetic program generate the first digital signature；

   The SM-DP+ server sends the 4th information to the eUICC by the LPA, and the 4th information includes the mark of the authentication arithmetic program, the length information of the authentication arithmetic program and first digital signature；

   The SM-DP+ server receives the second digital signature that the eUICC is sent by the LPA；

   The SM-DP+ server verifies second digital signature；

   If the SM-DP+ server passes through second digital signature authentication, executes the SM-DP+ server and generate the binding configuration file packet for including the steps that the authentication arithmetic program.
9. Method described in any one according to claim 1~7, which is characterized in that the method also includes:

   The SM-DP+ server receives the mark for the authentication arithmetic program that the MNO is sent and the length information of the authentication arithmetic program；

   Wherein, the length information of the mark and the authentication arithmetic program in the storage metadata of the binding configuration file packet including the authentication arithmetic program.
10. Method described in any one according to claim 1~9, it is characterized in that, it include value in the initial safe channel information of the binding configuration file packet to install the remote operation type identification for binding patch and configuration file type, it includes the authentication arithmetic program and configuration file in the binding configuration file packet that the installation binding patch and configuration file type, which are used to indicate,.
11. Method described in any one according to claim 1~10, which is characterized in that the binding configuration file packet further includes configuration file, and the authentication arithmetic program and the configuration file are encrypted by session key.
12. Method described in any one according to claim 1~10, which is characterized in that the binding configuration file packet further includes configuration file and protection key, and the authentication arithmetic program and the configuration file are encrypted by the protection key.
13. Method described in any one according to claim 1~10, which is characterized in that the binding configuration file packet further includes configuration file and protection key, and the authentication arithmetic program is encrypted by session key, and the configuration file is encrypted by the protection key.
14. Method described in any one according to claim 1~13, which is characterized in that the authentication arithmetic program is public key encryption of the MNO with the eUICC.
15. A kind of adding method of authentication arithmetic program, which is characterized in that the described method includes:

    Universal embedded integrated circuit card eUICC receives the binding configuration file packet that local profile assistant LPA is sent, the binding configuration file packet includes initial safe channel information, storage metadata, authentication arithmetic program and configuration file, the authentication arithmetic program is corresponding with target information, and the target information is at least one of universal embedded Integrated Circuit Card Identity EID issuer mark, platform/operating system version information of the eUICC and the ability information of the eUICC of the firmware version information of the eUICC, the eUICC；

    The authentication arithmetic program is added in the eUICC by the eUICC.
16. According to the method for claim 15, which is characterized in that before the eUICC receives the initial safe channel information that the LPA is sent, the method also includes:

    The eUICC receives the 4th information that the SM-DP+ server is sent by the LPA, and the 4th information includes the length information and the first digital signature of the mark of the authentication arithmetic program, the authentication arithmetic program；

    The eUICC verifies first digital signature using the mark of the authentication arithmetic program, the length information of the authentication arithmetic program；

    If the eUICC passes through first digital signature authentication, the eUICC generates the second digital signature with first digital signature；

    The eUICC sends second digital signature to the SM-DP+ server by the LPA.
17. According to the method for claim 16, which is characterized in that after the eUICC receives the authentication arithmetic program that the LPA is sent, the method also includes:

    The mark of the authentication arithmetic program is added in the eUICC by the eUICC.
18. According to the method for claim 15, which is characterized in that it include the mark of the authentication arithmetic program in the storage metadata, the method also includes:

    The mark of the authentication arithmetic program is added in the eUICC by the eUICC.
19. Method described in 5~18 any one according to claim 1, it is characterized in that, it include value in the initial safe channel information of the binding configuration file packet to install the remote operation type identification for binding patch and configuration file type, it includes the authentication arithmetic program and configuration file in the binding configuration file packet that the installation binding patch and configuration file type, which are used to indicate,.
20. Method described in 5~19 any one according to claim 1, which is characterized in that the authentication arithmetic program and the configuration file are encrypted by session key, after the eUICC receives the authentication arithmetic program that the LPA is sent, the method also includes:

    The eUICC is decrypted the authentication arithmetic program by the session key；

    After the eUICC receives the configuration file that the LPA is sent, the method also includes:

    The eUICC is decrypted the configuration file by the session key.
21. Method described in 5~19 any one according to claim 1; it is characterized in that; the authentication arithmetic program and the configuration file pass through protection key encryption; the binding configuration file packet further includes the protection key; the protection key is encrypted by session key; before the eUICC receives the authentication arithmetic program that the LPA is sent, the method also includes:

    The eUICC receives the protection key that the LPA is sent；

    The eUICC is decrypted the protection key by session key；

    After the eUICC receives the authentication arithmetic program that the LPA is sent, the method also includes:

    It is decrypted by authentication arithmetic program described in the protection key pair；

    After the eUICC receives the configuration file that the LPA is sent, the method also includes:

    It is decrypted by configuration file described in the protection key pair.
22. Method described in 5~19 any one according to claim 1; it is characterized in that; the authentication arithmetic program is encrypted by session key; the configuration file passes through protection key encryption; the binding configuration file packet further includes the protection key; the protection key is encrypted by session key, before the eUICC receives the configuration file that the LPA is sent, the method also includes:

    The eUICC receives the protection key that the LPA is sent；

    The eUICC is decrypted the protection key by session key；

    After the eUICC receives the authentication arithmetic program that the LPA is sent, the method also includes:

    The authentication arithmetic program is decrypted by the session key；

    After the eUICC receives the configuration file that the LPA is sent, the method also includes:

    It is decrypted by configuration file described in the protection key pair.
23. Method described in 5~19 any one according to claim 1, which is characterized in that the authentication arithmetic program is public key encryption of the MNO with the eUICC, the method also includes:

    The authentication arithmetic program is decrypted by the private key of the eUICC.
24. Method described in 5~23 any one according to claim 1, which is characterized in that the method also includes:

    If the eUICC deletes the configuration file, the eUICC deletes the authentication arithmetic program.
25. Method described in 5~24 any one according to claim 1, which is characterized in that after the authentication arithmetic program is added in the eUICC by the eUICC, the method also includes:

    The eUICC receives the activation profiles order that LPA is sent, and the activation profiles order specifies eUICC to activate the configuration file；

    The eUICC determines corresponding authentication arithmetic program according to the mark of the authentication arithmetic program in the configuration file；

    The network insertion application parameter of the eUICC configuration file configures the authentication arithmetic program；

    The eUICC authentication arithmetic program and network carry out bi-directional authentification.
26. Method described in 5~25 any one according to claim 1, which is characterized in that the universal embedded integrated circuit card eUICC receives the binding configuration file packet that local profile assistant LPA is sent, comprising:

    Universal embedded integrated circuit card eUICC receives the initial safe channel information in the binding configuration file packet that local profile assistant LPA is sent；

    The eUICC receives the storage metadata in the binding configuration file packet that the LPA is sent；

    The eUICC receives the authentication arithmetic program in the binding configuration file packet that the LPA is sent；

    The eUICC is sent to LPA is used to indicate the message that the addition of authentication arithmetic program is completed；

    The eUICC receives the configuration file in the binding configuration file packet that the LPA is sent.
27. A kind of adding method of authentication arithmetic program, which is characterized in that the described method includes:

    Local profile assistant LPA receives the 5th information that signing management-data preparation SM-DP+ server is sent；

    The LPA sends universal embedded integrated circuit card eUICC for the authentication arithmetic program in binding configuration file packet according to the 5th information, the authentication arithmetic program is corresponding with target information, and the target information is at least one of universal embedded Integrated Circuit Card Identity EID issuer mark, platform/operating system version information of the eUICC and the ability information of the eUICC of the firmware version information of the eUICC, the eUICC；

    The LPA receives the message for being used to indicate the addition of authentication arithmetic program and completing that the eUICC is sent；

    Configuration file in the binding configuration file packet is sent to the eUICC by the LPA.
28. According to the method for claim 27, which is characterized in that the 5th information be the authentication arithmetic program length information or the 5th information be binding configuration file packet encryption segment data label information.
29. According to the method for claim 28, which is characterized in that the length information of the authentication arithmetic program is included in the storage metadata of binding configuration file packet.
30. A kind of adding method of authentication arithmetic program, which is characterized in that the described method includes:

    User terminal receives the binding configuration file packet that signing management-data preparation SM-DP+ server is sent by local profile assistant LPA, the binding configuration file packet includes authentication arithmetic program, the authentication arithmetic program is corresponding with target information, and the target information is at least one of universal embedded Integrated Circuit Card Identity EID issuer mark, platform/operating system version information of the eUICC and the ability information of the eUICC of the firmware version information of universal embedded integrated circuit card eUICC, the eUICC；

    The authentication arithmetic program is sent by the LPA or is added in the eUICC by the user terminal.
31. A kind of signing management-data preparation SM-DP+ server, which is characterized in that the SM-DP+ server includes:

    Communication module, for receiving the authentication arithmetic program of Mobile Network Operator MNO transmission, the authentication arithmetic program is corresponding with target information, the target information for universal embedded integrated circuit card eUICC firmware version information, described At least one of universal embedded Integrated Circuit Card Identity EID issuer mark, platform/operating system version information of the eUICC and ability information of the eUICC of eUICC；

    Processing module, for generating the binding configuration file packet including the authentication arithmetic program；

    The communication module is also used to send the binding configuration file packet into the eUICC by local profile assistant LPA, and the authentication arithmetic program is for being added in the eUICC.
32. SM-DP+ server according to claim 31, which is characterized in that the authentication arithmetic program is for being added in the authentication arithmetic collection of programs of the eUICC.
33. The SM-DP+ server according to claim 31 or 32, which is characterized in that the target information include the firmware version information of eUICC, the eUICC EID issuer mark and the eUICC platform/operating system version information,

    The communication module is also used to before receiving the authentication arithmetic program that Mobile Network Operator MNO is sent, and receives the first information that the MNO is sent, the first information includes EID information；

    The communication module is also used to receive the second information that the LPA is sent, and second information includes eUICC information；

    The processing module is also used to obtain the firmware version information from the eUICC message；

    The processing module is also used to obtain the EID issuer mark and the platform/operating system version information from the EID message；

    The communication module, is also used to send third information to the MNO, and the third information includes the firmware version information, EID issuer mark and the platform/operating system version information.
34. SM-DP+ server according to claim 33, which is characterized in that the target information further includes the ability information of the eUICC, and the processing module is also used to obtain the ability information of the eUICC from the eUICC message；Wherein, the third information further includes the ability information of the eUICC.
35. The SM-DP+ server according to claim 33 or 34, it is characterized in that, it further include authentication arithmetic program addition mark in the first information, the authentication arithmetic program addition mark is used to indicate the SM-DP+ server after obtaining the firmware version information, EID issuer mark and the platform/operating system version information, and Xiang Suoshu MNO requests the authentication arithmetic program.
36. The SM-DP+ server according to any one of claim 33~35, it is characterized in that, it further include authentication arithmetic program addition mark in second information, the authentication arithmetic program addition mark is used to indicate the SM-DP+ server after obtaining the firmware version information, EID issuer mark and the platform/operating system version information, and Xiang Suoshu MNO requests the authentication arithmetic program.
37. The SM-DP+ server according to any one of claim 34~36, which is characterized in that the third information is processing downloading process information.
38. The SM-DP+ server according to any one of claim 33~37, which is characterized in that

    The communication module is also used to receive the mark for the authentication arithmetic program that the MNO is sent and the length information of the authentication arithmetic program；

    The processing module is also used to after the authentication arithmetic program that the communication module receives that the MNO is sent, and generates the first digital signature with the mark of the authentication arithmetic program and the length information of the authentication arithmetic program；

    The communication module is also used to send the 4th information to the eUICC by the LPA, and the 4th information includes the mark of the authentication arithmetic program, the length information of the authentication arithmetic program and first digital signature；

    The communication module is also used to receive the second digital signature that the eUICC is sent by the LPA；

    The processing module is also used to verify second digital signature；

    If the processing module passes through second digital signature authentication, triggers the processing module and generate the binding configuration file packet including the authentication arithmetic program.
39. The SM-DP+ server according to any one of claim 31~37, which is characterized in that

    The communication module is also used to receive the mark for the authentication arithmetic program that the MNO is sent and the length information of the authentication arithmetic program；

    Wherein, the length information of the mark and the authentication arithmetic program in the storage metadata of the binding configuration file packet including the authentication arithmetic program.
40. The SM-DP+ server according to any one of claim 31~39, it is characterized in that, it include value in the initial safe channel information of the binding configuration file packet to install the remote operation type identification for binding patch and configuration file type, it includes the authentication arithmetic program and configuration file in the binding configuration file packet that the installation binding patch and configuration file type, which are used to indicate,.
41. The SM-DP+ server according to any one of claim 31~40, which is characterized in that the binding configuration file packet further includes configuration file, and the authentication arithmetic program and the configuration file are encrypted by session key.
42. The SM-DP+ server according to any one of claim 31~40, which is characterized in that the binding configuration file packet further includes configuration file and protection key, and the authentication arithmetic program and the configuration file are encrypted by the protection key.
43. The SM-DP+ server according to any one of claim 31~40; it is characterized in that; the binding configuration file packet further includes configuration file and protection key, and the authentication arithmetic program is encrypted by session key, and the configuration file is encrypted by the protection key.
44. The SM-DP+ server according to any one of claim 31~43, which is characterized in that the authentication arithmetic program is public key encryption of the MNO with the eUICC.
45. A kind of universal embedded integrated circuit card eUICC, which is characterized in that the eUICC includes:

    Communication module, for receiving the binding configuration file packet of local profile assistant LPA transmission, the binding configuration file packet includes initial safe channel information, storage metadata, authentication arithmetic program and configuration file, the authentication arithmetic program is corresponding with target information, and the target information is at least one of universal embedded Integrated Circuit Card Identity EID issuer mark, platform/operating system version information of the eUICC and the ability information of the eUICC of the firmware version information of the eUICC, the eUICC；

    Processing module, for the authentication arithmetic program to be added in the eUICC.
46. EUICC according to claim 45, which is characterized in that

    The communication module, it is also used to before the initial safe channel information that the communication module receives that the LPA is sent, the 4th information that the SM-DP+ server is sent by the LPA is received, the 4th information includes the length information and the first digital signature of the mark of the authentication arithmetic program, the authentication arithmetic program；

    The length information of the processing module, the mark, the authentication arithmetic program that are also used for the authentication arithmetic program verifies first digital signature；

    The processing module generates the second digital signature with first digital signature if being also used to pass through first digital signature authentication；

    The communication module is also used to send second digital signature to the SM-DP+ server by the LPA.
47. EUICC according to claim 46, which is characterized in that

    The processing module is also used to after the authentication arithmetic program that the communication module receives that the LPA is sent, the mark of the authentication arithmetic program is added in the eUICC.
48. EUICC according to claim 45, which is characterized in that it include the mark of the authentication arithmetic program in the storage metadata,

    The processing module is also used to for the mark of the authentication arithmetic program being added in the eUICC.
49. The eUICC according to any one of claim 45~48, it is characterized in that, it include value in the initial safe channel information of the binding configuration file packet to install the remote operation type identification for binding patch and configuration file type, it includes the authentication arithmetic program and configuration file in the binding configuration file packet that the installation binding patch and configuration file type, which are used to indicate,.
50. The eUICC according to any one of claim 45~49, which is characterized in that the authentication arithmetic program and the configuration file are encrypted by session key,

    The processing module is also used to after the authentication arithmetic program that the communication module receives that the LPA is sent, the authentication arithmetic program is decrypted by the session key；

    The processing module is also used to after the configuration file that the communication module receives that the LPA is sent, and the eUICC is decrypted the configuration file by the session key.
51. The eUICC according to any one of claim 45~49; it is characterized in that, the authentication arithmetic program and the configuration file are by protection key encryption, the binding configuration file packet further includes the protection key; the protection key is encrypted by session key

    The communication module is also used to before receiving the authentication arithmetic program that the LPA is sent, and receives the protection key that the LPA is sent；

    The processing module is also used to that the protection key is decrypted by session key；

    The processing module is also used to after the authentication arithmetic program that the communication module receives that the LPA is sent, is decrypted by authentication arithmetic program described in the protection key pair；

    The processing module is also used to after the configuration file that the communication module receives that the LPA is sent, is decrypted by configuration file described in the protection key pair.
52. The eUICC according to any one of claim 45~49, which is characterized in that the authentication arithmetic program is encrypted by session key; the configuration file passes through protection key encryption; the binding configuration file packet further includes the protection key, and the protection key is encrypted by session key

    The communication module is also used to before receiving the configuration file that the LPA is sent, and receives the protection key that the LPA is sent；

    The processing module is also used to that the protection key is decrypted by session key；

    The processing module is also used to after the authentication arithmetic program that the communication module receives that the LPA is sent, the authentication arithmetic program is decrypted by the session key；

    The processing module is also used to after the configuration file that the communication module receives that the LPA is sent, is decrypted by configuration file described in the protection key pair.
53. The eUICC according to any one of claim 45~49, which is characterized in that the authentication arithmetic program is public key encryption of the MNO with the eUICC,

    The processing module is also used to that the authentication arithmetic program is decrypted by the private key of the eUICC.
54. The eUICC according to any one of claim 45~53, which is characterized in that

    The processing module deletes the authentication arithmetic program if being also used to the eUICC deletes the configuration file.
55. The eUICC according to any one of claim 45~54, which is characterized in that

    The communication module is also used to after the authentication arithmetic program is added in the eUICC by the processing module, receives the activation profiles order that LPA is sent, and the activation profiles order specifies eUICC to activate the configuration file；

    The processing module is also used to determine corresponding authentication arithmetic program according to the mark of the authentication arithmetic program in the configuration file；

    The processing module is also used to configure the authentication arithmetic program with the network insertion application parameter of the configuration file；

    The processing module is also used to carry out bi-directional authentification with the authentication arithmetic program and network.
56. According to method described in claim 45~55 any one, which is characterized in that the communication module receives the mode for the binding configuration file packet that local profile assistant LPA is sent specifically:

    The communication module receives the initial safe channel information in the binding configuration file packet that local profile assistant LPA is sent；

    The communication module receives the storage metadata in the binding configuration file packet that the LPA is sent；

    The communication module receives the authentication arithmetic program in the binding configuration file packet that the LPA is sent；

    The communication module is sent to LPA is used to indicate the message that the addition of authentication arithmetic program is completed；

    The communication module receives the configuration file in the binding configuration file packet that the LPA is sent.
57. A kind of local profile assistant LPA, which is characterized in that the LPA includes:

    Communication module, the 5th information sent for receiving signing management-data preparation SM-DP+ server；

    The communication module, it is also used to send universal embedded integrated circuit card eUICC for the authentication arithmetic program in binding configuration file packet according to the 5th information, the authentication arithmetic program is corresponding with target information, and the target information is at least one of universal embedded Integrated Circuit Card Identity EID issuer mark, platform/operating system version information of the eUICC and the ability information of the eUICC of the firmware version information of the eUICC, the eUICC；

    The communication module is also used to receive the message for being used to indicate the addition of authentication arithmetic program and completing that the eUICC is sent；

    The communication module is also used to the configuration file in the binding configuration file packet being sent to the eUICC.
58. LPA according to claim 57, which is characterized in that the 5th information be the authentication arithmetic program length information or the 5th information be binding configuration file packet encryption segment data label information.
59. LPA according to claim 58, which is characterized in that the length information of the authentication arithmetic program is included in the storage metadata of binding configuration file packet.
60. A kind of user terminal, which is characterized in that the user terminal includes:

    Communication module, for receiving the binding configuration file packet that signing management-data preparation SM-DP+ server is sent by local profile assistant LPA, the binding configuration file packet includes authentication arithmetic program, the authentication arithmetic program is corresponding with target information, and the target information is at least one of universal embedded Integrated Circuit Card Identity EID issuer mark, platform/operating system version information of the eUICC and the ability information of the eUICC of the firmware version information of universal embedded integrated circuit card eUICC, the eUICC；

    Processing module, for being sent or being added in the eUICC by the authentication arithmetic program by the LPA.
61. A kind of signing management-data preparation SM-DP+ server, which is characterized in that the SM-DP+ server includes: processor, memory, communication interface and one or more programs；The processor is connected with the communication interface and the memory, and one or more of programs are stored in the memory, and the processor is used to call the program in the memory to execute the method as described in claim 1~14 any one.
62. A kind of universal embedded integrated circuit card eUICC, which is characterized in that the eUICC includes: processor, memory, communication interface and one or more programs；The processor is connected with the communication interface and the memory, and one or more of programs are stored in the memory, and the processor is used to call the program in the memory to execute the method as described in claim 15~26 any one.
63. A kind of local profile assistant LPA, which is characterized in that the LPA includes: processor, memory, communication interface and one or more programs；The processor is connected with the communication interface and the memory, and one or more of programs are stored in the memory, and the processor is used to call the program in the memory to execute the method as described in claim 27~29 any one.
64. A kind of user terminal, which is characterized in that the user terminal includes: local profile assistant LPA, communication module and universal embedded integrated circuit card eUICC, in which:

    The LPA, the binding configuration file packet sent for receiving signing management-data preparation SM-DP+ server, the binding configuration file packet includes authentication arithmetic program, the authentication arithmetic program is corresponding with target information, and the target information is at least one of universal embedded Integrated Circuit Card Identity EID issuer mark, platform/operating system version information of the eUICC and the ability information of the eUICC of the firmware version information of the eUICC, the eUICC；

    The LPA is also used to send the authentication arithmetic program by the communication module or be added in the eUICC.
65. A kind of add-on system of authentication arithmetic program, it is characterized in that, the system comprises: the SM-DP+ server as described in any one of claim 31 to 44, the eUICC as described in claim 45 to 56 any one, the LPA as described in any one of claim 57 to 59.
66. A kind of add-on system of authentication arithmetic program, which is characterized in that the system comprises: SM-DP+ server and user terminal as claimed in claim 60 as described in any one of claim 31 to 44.